What is Certificate Signing Request
CSR is abridgement of Certificate Signing Request,its a block of encrypted text that is generated on the server that the certificate will be used on.
It contains information that will be included in your certificate such as your organization name, common name (domain name), locality, and country. It also contains the public key that will be included in your certificate. A private key is usually created at the same time that you create the CSR.
Certificate authority (CA) will use a CSR to create your SSL certificate, but it does not need your private key.
The private key secret issued by CA should be confidential and keep it for you only.
CSR contains the following informations:
- Common Name :The fully qualified domain name (FQDN) of your server. This must match exactly what you type in your web browser or you will receive a name mismatch error exmaple : *.domainname.tld.
- Organization:The legal name of your organization. This should not be abbreviated and should include suffixes such as Inc, Corp, or LLC. exmaple:Company Inc.
- Organizational Unit:The division of your organization handling the certificate , exmaple :Information Technology.
- City/Locality:The city where your organization is located , example:Mountain View.
- State/County/Region:The state/region where your organization is located. This shouldn’t be abbreviated, example:New York.
- Country:The two-letter ISO code for the country where your organization is location,example:US,CA.
- Email address:An email address used to contact your organization,webmaster@domain.tld.
- Public Key:The public key that will go into the certificate.
CSR’s format
Most CSRs are created in the Base-64 encoded PEM format. This format includes the “—–BEGIN CERTIFICATE REQUEST—–” and “—–END CERTIFICATE REQUEST—–” lines at the begining and end of the CSR. A PEM format CSR can be opened in a text editor .
To generate CSR and private key
openssl req -new -keyout server.key -out server.csr
Decode a CSR
openssl req -in server.csr -noout -text