What is a CSR?
A CSR stands for Certificate Signing Request and is necessary for all SSL certificates in order to complete the generation process. It is usually generated from your web server / web hosting control panel. It is created based on the following parameters.
Country Name (C): Use the two-letter country ISO code without punctuation. For example: “US” or “IN”.
State or Province (S): Spell out the state or province name completely. Do not abbreviate. For example: “California” or “Maharashtra”.
Locality or City (L): This field is for the City or Town name. For example: “Washington” or “Mumbai”.
Organization (O): Company or business name needs to be entered here. For example: “XYZ Corporation”.
Organizational Unit (OU): This field is the name of the department or organization unit making the request such as “Sales” or “Marketing”.
Common Name (CN): Enter the hostname / domain name for your website i.e. “www.example.com” or “example.com” or “server2.example.com”.
What do I need to keep in mind while generating the CSR?
- To secure both www & non-www versions of domain.com under a Standard SSL certificate, enter Common Name as www.domain.com
- For Wildcard certificates enter Common Name as *.yourdomain.com
- While filling details, only use the English alphabet and numbers 0-9. Ensure no spaces in the Common Name.
- If the “&” symbol is included in your Organization / Organisation Unit name, type out “and” instead.
How to generate the CSR?
Please consult official documentation for your web server to know how to generate a CSR with a 2048-bit key. Most documentation can be found online through a simple Google search. If you use a web hosting service for your website, check with your web hosting support team on how to generate it from their system.
Alternately, if your web server / hosting control panel allows you to import an externally generated CSR & Private key, you can generate a CSR (with a 2048-bit Private key) using an online free service such as csrgenerator.com.
How do I check / decode the CSR generated? What can I do if I noticed something incorrect in my CSR?
You can use an online decoder tool to verify the CSR generated. It is impossible to edit any fields once it has been created. You will need to generate a new CSR with the correct details.
The CSR cannot be decoded. What does that mean and what should I do?
Make sure you have the correct file copied and not your self-signed certificate, your previous SSL, or if it is bundled as a PKCS7 or PKCS12. Or, you could have a pass-phrase that does not have alpha-numeric characters or disallowed characters. If this is the case, you will need to generate a new CSR without the disallowed characters or in the proper form. Please only use the English alphabet and numbers 0-9. For example, if the “&” symbol is included in your Organization Name, please type out “and” instead.
What is a private key used for?
The private key is used on the server-side exchange for creating the secure connection. It should never be exposed to your SSL provider or outside users, unless specifically requested by your web host for installation. Please note if the private key is lost or deleted, you will have to once again generate CSR and private key on your server. Your private key is not provided by the Certificate Authority (CA) or your SSL provider.
What should I do with my private key?
Your private key should always remain private. The only person that should see your private key is your hosting company, if they ask for it. However, do not delete your private key, as it is required for your certificate to work.