A CSR is basically an encoded file that contains information about your company, your website name, company contact details and domain name. It contains a code which is an essential part of generating an SSL certificate. It is advisable to generate a Certificate Signing Request (CSR) before you proceed to order an SSL certificate. The information provided in the CSR is used by the certificate authority to build your SSL certificate. The CSR also contains the public key that has to be included in the SSL certificate. The CSR is a standardized method of sending your public key to the Certificate Authority.
Generating a CSR requires creation of a key pair (a public key and a private key) for your server. This key pain cannot be separated. If you lose either of these keys or generate a new one you SSL certificate won’t match, and you will have to request a new SSL certificate.
The CSR comprises of the following attributes:
- Common Name (CN): This is the domain name of your server. It should be exactly same as the URL of your website (the URL that you enter in the web browser). If it does not match, you will receive a security error.
- Organization Name (O): This is the legal name of your organization or company. It includes corporate identifiers like Corp, Inc., LLC, etc.
- Organization Unit (OU): This is the name of the department or organization unit for which there is a request.
- Locality (L): This field depicts the city or town in which you are located.
- State or Province Name (ST): This field depicts the state or province in which you are located.
- Country (C): This field depicts the country in which you are located.
- Email Address: This is the email address associated with the company.
- Root Length: The bit-length of the key pair is the strength of the key and how easily it can be cracked using brute force methods. 2048-bit key size is the new industry standard and is used to ensure security well into the foreseeable future.
- Signature Algorithm: This fields depicts the hashing algorithms that are being used by the certificate authorities to sign the certificates and Certification Revocation to generate unique hash values from files. It is recommended that the certificate should be signed with SHA-2 because this is the strongest signature algorithm.
Steps to Generate a Certificate Signing Request (CSR) on Windows:
It is possible to generate a Certificate Signing Request code by yourself. Here are the instructions to generate a CSR:
- First launch the “IIS Manager” by opening the Run command and typing “inetmgr” command and clocking the “OK” button.
- Select the Server from the “Connections” pane on the left side of the window.
- Open the “Server Certificates” folder.
- Click on the link which says “Create Certificate Request” in the Actions pane on the same window.
- Fill out all the mentioned above and enter the distinguished name properties (common name, organization name, and location information).
- Click on the “Next” button.
- Set the cryptographic service provider properties and select the default key size as 2048 bit.
- Click on the “Next” button.
- Name your CSR file with an appropriate name.
- Click on “Finish” button.
- Then click on the “Apply” button.
- Open the “Enrollment form” with the help of a text editor. You can copy and paste all the information into this enrollment form.
- Then click on the “Apply Changes” button.
- Verify your CSR.
You have now generated your Certificate Signing Request. Once this is done, you can open the CSR in a text editor and submit this CSR to get it signed. A CSR is created in a Base-64 based PEM format. It can be opened and viewed in a text editor.