Uncategorized

What is a Certificate Signing Request (CSR)?

by admin
2 months ago
0

A CSR (Certificate Signing Request) is a small, encoded text file containing information about the organization and the domain you wish to secure. It is required for the activation of a digital SSL certificate and, as a rule, is generated on the server where the certificate is to be installed. A CSR is submitted to the Certificate Authority and used to generate the certificate. For the instructions on how to generate the CSR code, you can consult your server documentation or check the following article in our Knowledgebase that contains the most common server types. The Certificate Signing Request should have the following information: Common name (CN) – primary domain of the certificate, the fully qualified domain name for which the SSL will be activated (e.g. example.com). For Wildcard certificates, the domain name should be represented with an asterisk in front (e.g. *.example.com). Locality (L) – the city where the company or applicant is located (e.g. Los Angeles). This parameter should not be abbreviated. State (S) – the state, county or region the company or applicant is located in (e.g. California). Country (C) – the two-letter code of the country where the company or applicant is located (e.g. US). Organization (O) – the officially registered name of the organization that applies for a certificate (e.g. Namecheap Inc.). For Organization and Extended Validation certificates, Certificate Authorities will be verifying the submitted organization. For Domain Validation SSLs, this field is not critical and the details will not be listed on the issued certificate, however it should be filled in. Organization Unit (OU) – the name of the department or division within the submitted organization (e.g. SSL Support). Email Address – an email address of the company or the applicant. This field is optional. The CSR code can contain SAN (Subject Alternative Name) fields in it, which can be used for additional domains you would like to include into a multi-domain certificate. Some web servers and CSR-code generators might have SAN fields included for CSR generation. You can use those fields if you are sure about the domains and the number you would like to secure. You are not obligated to fill in SAN fields during CSR-code generation. If the CSR code is generated with SAN fields, our system will try to fetch them automatically to the corresponding boxes for additional domains when activating a Multi-domain certificate. If the CSR was generated for the primary domain only, additional domains should be filled in manually during the activation. The CSR code also contains the public key that will be included into your certificate. The encryption of data by SSL certificates is based on using two keys – public and private. Public key (embedded into the CSR code and into the issued certificate) is used to encrypt data prior to sending it to the server where the certificate has been installed. It is sent to every Internet user who submits information at a site secured by the certificate. CSR code is generated along with the private key. Private key (RSA key) is necessary to decrypt data that has been encrypted using a public key. Only the server that has an RSA key is able to decrypt data. This makes data transmission via SSL secure and safe. Private key should not be revealed to any third-parties, as this may compromise the certificate. If the private key was lost or compromised, the certificate should be reissued with a new CSR code generated along with a new RSA key, and the initial certificate revoked to avoid any possible security issues. Also, the CSR contains the information about the type of the key and key length. The most common and frequently used key type is RSA. However, there is an opportunity to submit a CSR codes with ECDSA keys for the certificate activation. The minimum possible key size for RSA keys is 2048 bits. It is considered strong and there is no critical need to make the private key stronger. However, Comodo (now Sectigo) certificates can be also activated with 4096 and 8192 bits key size. Remember that not all devices can support strong keys! CSR is a Base-64 code that starts with the header —–BEGIN CERTIFICATE REQUEST—– and ends with a footer —–END CERTIFICATE REQUEST—– (CSR codes generated on Windows Servers will have tags —–BEGIN NEW CERTIFICATE REQUEST—– and —–END NEW CERTIFICATE REQUEST—–). When activating the certificate, please copy the CSR code including both header and footer into the activation page. Below you can find an example of the certificate signing request: —–BEGIN CERTIFICATE REQUEST—– MIIDFTCCAf0CAQAwejELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx FDASBgNVBAcTC0xvcyBBbmdlbGVzMRQwEgYDVQQKEwtTU0wgU3VwcG9ydDEUMBIG A1UECxMLU1NMIFN1cHBvcnQxFDASBgNVBAMTC2V4YW1wbGUuY29tMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwPOIBIoblSLFv/ifj8GDCNL5NhDX2JVU QKcWC19KtWYQg1HPnaGIy+Dj9tYSBw8T8xc9hbJ1TYGbBIMKfBUzKoTt5yLdVIM/ HJm3m9ImvAbK7TYcx1U9TJEMxN6686whAUMBr4B7ql4VTXqu6TgDcdbcQ5wsPVOi FHJTTwgVwt7eVCBMFAkZn+qQz+WigM5HEp8KFrzwAK142H2ucuyfgGS4+XQSsUdw NWh9GPRZgRt3R2h5ymYkQB/cbg596alCquoizI6QCfwQx3or9Dg1f3rlwf8H5HIV H3hATGIr7GpbKka/JH2PYNGfi5KqsJssVQfu84m+5WXDB+90KHJEcwIDAQABoFYw VAYJKoZIhvcNAQkOMUcwRTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DATBgNVHSUE DDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTANBgkqhkiG9w0B AQUFAAOCAQEAgBSVMeTB9pfgZCllMPBFffeduMePyDA1SzLYjSFkh660sFFiwGAV MTnnYFHH3k6ueRVal3gzxZJ6ehr+ms1/CRO8rlY+B6geMCbGCbCvcAET0n505aYH v8vlvqrdSx8Ur/9sisbynCkdk2qgc3rbnDbsAAonZIXf+blacaYTZdGUxso6qtY6 6mhI+ulqmkDk3Quc02ityvuGEbN8UuUGxc+kg0aIqMWWNKUGpTq/aRWpC7kuCUFZ fmvPwnMhzgKBPzOXwyauVxAV0Mm/1uwPu9GNVQDgewy4Rjbm5bNwIjce3W1tVMWT FR+x0BtV+D2A62fJWB2Yv9oERJbZQnvLqw== —–END CERTIFICATE REQUEST—– You can check the CSR information using this decoding tool.ChatGPT

What is a Certificate Signing Request (CSR)? A Certificate Signing Request (CSR) is a small encrypted text file that contains essential information about an organization and the domain it intends to secure. It is a necessary component for activating a digital SSL certificate and is typically generated on the server where the certificate will be installed. The CSR is submitted to a Certificate Authority to facilitate the issuance of the certificate.

To obtain instructions on generating the CSR code, refer to your server documentation or consult our Knowledgebase article that covers various server types commonly used.

A valid CSR should include the following details:

  1. Common Name (CN): The primary domain for which the SSL certificate will be activated, represented by a fully qualified domain name (e.g., example.com). In the case of Wildcard certificates, the domain name should start with an asterisk (e.g., *.example.com).
  2. Locality (L): The city where the organization or applicant is located (e.g., Los Angeles). It is recommended to provide the full city name without abbreviation.
  3. State (S): The state, county, or region where the organization or applicant is situated (e.g., California).
  4. Country (C): The two-letter country code where the organization or applicant is based (e.g., US).
  5. Organization (O): The officially registered name of the organization applying for the certificate (e.g., Namecheap Inc.). For Organization Validation (OV) and Extended Validation (EV) certificates, the Certificate Authorities verify the submitted organization details. For Domain Validation (DV) SSL certificates, this field is less critical as the details are not listed on the issued certificate, but it should still be filled in.
  6. Organization Unit (OU): The name of the department or division within the organization that is submitting the application (e.g., SSL Support).
  7. Email Address: An optional field that can contain the email address of the company or applicant.

The CSR code may also include Subject Alternative Name (SAN) fields, allowing the inclusion of additional domains in a multi-domain certificate. Some web servers and CSR code generators may have built-in SAN fields for CSR generation. These fields can be used if you are certain about the domains and their number that you want to secure. However, it is not mandatory to fill in the SAN fields during CSR code generation. If the CSR code contains SAN fields, our system will attempt to automatically fetch them and display them in the corresponding boxes for additional domains during the certificate activation process. If the CSR was generated solely for the primary domain, any additional domains should be manually entered during activation.

The CSR code also contains the public key, which is included in the certificate. SSL certificate encryption relies on two keys: the public key (embedded in the CSR code and the issued certificate) and the private key. The public key encrypts data before it is sent to the server with the installed certificate and is shared with every internet user submitting information on a site secured by the certificate. The CSR code is generated alongside the private key (RSA key), which is essential for decrypting data encrypted with the public key. Only the server possessing the RSA key can decrypt the data, ensuring secure data transmission via SSL. The private key should never be disclosed to third parties to avoid compromising the certificate. In case the private key is lost or compromised, a new CSR code should be generated along with a new RSA key for certificate reissuance, while the initial certificate should be revoked to mitigate potential security risks.

Additionally, the CSR code specifies the key type and key length. The most common and widely used key type is RSA, but it is also possible to submit CSR codes with ECDSA keys for certificate activation.

The minimum recommended key size for RSA keys is 2048 bits, which is considered secure and does not typically require further strengthening. However, Comodo (now Sectigo) certificates can be activated with 4096 and 8192 bits key sizes as well. It’s important to note that not all devices support strong key sizes, so compatibility should be considered.

A CSR is a Base-64 encoded code that starts with the header “—–BEGIN CERTIFICATE REQUEST—–” and ends with the footer “—–END CERTIFICATE REQUEST—–” (Windows Servers may use tags “—–BEGIN NEW CERTIFICATE REQUEST—–” and “—–END NEW CERTIFICATE REQUEST—–“). When activating the certificate, make sure to copy the entire CSR code, including both the header and footer, into the appropriate field on the activation page.

Below is an example of a certificate signing request:

-----BEGIN CERTIFICATE REQUEST-----
MIIDFTCCAf0CAQAwejELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
FDASBgNVBAcTC0xvcyBBbmdlbGVzMRQwEgYDVQQKEwtTU0wgU3VwcG9ydDEUMBIG
A1UECxMLU1NMIFN1cHBvcnQxFDASBgNVBAMTC2V4YW1wbGUuY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwPOIBIoblSLFv/ifj8GDCNL5NhDX2JVU
QKcWC19KtWYQg1HPnaGIy+Dj9tYSBw8T8xc9hbJ1TYGbBIMKfBUzKoTt5yLdVIM/
HJm3m9ImvAbK7TYcx1U9TJEMxN6686whAUMBr4B7ql4VTXqu6TgDcdbcQ5wsPVOi
FHJTTwgVwt7eVCBMFAkZn+qQz+WigM5HEp8KFrzwAK142H2ucuyfgGS4+XQSsUdw
NWh9GPRZgRt3R2h5ymYkQB/cbg596alCquoizI6QCfwQx3or9Dg1f3rlwf8H5HIV
H3hATGIr7GpbKka/JH2PYNGfi5KqsJssVQfu84m+5WXDB+90KHJEcwIDAQABoFYw
VAYJKoZIhvcNAQkOMUcwRTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DATBgNVHSUE
DDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTANBgkqhkiG9w0B
AQUFAAOCAQEAgBSVMeTB9pfgZCllMPBFffeduMePyDA1SzLYjSFkh660sFFiwGAV
MTnnYFHH3k6ueRVal3gzxZJ6ehr+ms1/CRO8rlY+B6geMCbGCbCvcAET0n505aYH
v8vlvqrdSx8Ur/9sisbynCkdk2qgc3rbnDbsAAonZIXf+blacaYTZdGUxso6qtY6
6mhI+ulqmk
0
    0
    Your Cart
    Your cart is empty

    Join the Waitlist

    Next Steps

    1. Validate Domain (Authenticate domain depending on which method you choose)

    Check the email that has been sent to you. To confirm the domain ownership rights for your certificate, you need to copy the validation code from the approval email, follow the link in it and paste the validation code into the corresponding field.

    From the email, please click the link to the verification page, Once in the verification page, please enter the code provided in the email for verification.

    That’s it!

    After you have completed verification, a confirmation email will be sent to you. And shortly after, an issue confirmation will be sent to you via email. You can follow the link to the portal to download your newly issued certificate.

    If you have followed the steps above and did not receive an approval email to your mailbox, please click the link to the portal and double check your validation method or contact us for help. 

    Another way of verifying a domain is DNS (TXT record) Verification. If you selected DNS Authentication as your verification method, you will receive a unique TXT record via email consisting of two parts:

    • 1. Name: Name/Host/Alias/TXT: Blank or @
    • 2. Value/Points to/Destination:”wisekey=XXXXXXX”
    • TTL: This is your TTL (Time-To-Live) value. Set it to 3600 or lower.

    Verify by adding a TXT record in your DNS. Please verify and check if you have added the correct record

    Please submit a requestfor support if you face any issues.

    Depending on your DNS provider, You may have to wait for at least an hour for the changes to take effect in the DNS Servers. You will be notified via email when the domain is verified.

    The third method of verifying a domain is HTTP File Upload Verification. After choosing File Authentication as your verification method, you will receive an email and be asked to download a unique verification file (Format: .txt) and upload it to a specific directory on your web server.



    Verify by uploading the attached file fileauth.txt in your web server as follows:



    • 1. Download the text file fileauth.txt (attached with the email).
    • 2. Upload the above file (fileauth.txt) to your host in this EXACT path: http://my-domain.com/.well-known/pki-validation/fileauth.txt


    You may have to wait for at least an hour for the changes to take effect in the validation services. You will be notified via email when the domain is verified.

    Please submit a request for support if you face any issues.

    2. Receive Confirmation (After validation an email will be sent with a link to certificate)

    3. Download certificate and upload to hosting

    Notice: After generating a CSR,
    1. Copy the Private KEY and keep this to yourself for reference.
    2. Copy only the CSR above and use(paste)
    in to request your TS Certificate.
    3. Click the top left button to close.