What Is Certificate signing request? Security Definition
On This Page
What do you want to do?
Quick Definition
A Certificate Signing Request (CSR) is like a formal application form you fill out to get a digital ID card for your website or server. You send it to a trusted company (Certificate Authority) along with your public key, and they verify your details before issuing the ID. The CSR contains information about who you are and where you operate, such as your domain name and organization name. Once the CA validates everything, they sign your request and give you a certificate that proves your identity online.
Common Commands & Configuration
openssl req -new -newkey rsa:2048 -nodes -keyout example.key -out example.csrGenerates a new RSA 2048-bit private key and a CSR in one step. The -nodes flag ensures the private key is not encrypted with a passphrase.
Exams (e.g., Security+, AWS-SAA) test the ability to recognize CSR generation commands. The -nodes option and key size are common distractors.
openssl req -in example.csr -noout -textDisplays the contents of a CSR in a human-readable format, including subject, public key, and extensions.
Appears in troubleshooting scenarios where candidates must inspect a CSR to verify subject fields (e.g., CN, OU) match the intended domain.
openssl req -new -key example.key -out example.csrGenerates a CSR using an existing private key file.
Tests understanding of CSR lifecycle: you can reuse a key for renewal. Seen in CySA+ and CISSP questions about key management.
openssl req -in example.csr -noout -subject | grep CNExtracts only the CN field from a CSR to quickly verify the domain name.
Common in cloud exams (AWS-SAA, AZ-104) where you need to validate CSR for certificate issuance or ACM import.
openssl req -new -sha256 -key example.key -out example.csr -subj "/C=US/ST=California/L=San Francisco/O=Example Inc./CN=www.example.com"Generates a CSR with SHA-256 hash and inline subject fields, avoiding interactive prompts.
Exams (e.g., MS-102, SC-900) test the -subj flag for automation scripts, often in hybrid or Azure AD certificate scenarios.
openssl req -verify -in example.csr -nooutVerifies the signature on a CSR to ensure it hasn't been tampered with.
Security+ and CISSP questions use this to validate integrity checks. A failed verification indicates a corrupt or malicious CSR.
openssl req -in example.csr -outform PEM -out example.pemConverts a CSR from DER format to PEM format.
Exam scenarios (e.g., importing CSRs into ACM or Azure Key Vault) often require PEM format. Tests understanding of encoding conversions.
openssl req -new -key example.key -out example.csr -config san.cnfGenerates a CSR with Subject Alternative Names (SANs) defined in a custom configuration file.
Critical for modern certificates; appears in CISSP and AWS-SAA to test SAN handling (e.g., multiple domains in a single CSR).
Must Know for Exams
Certificate Signing Requests appear in multiple certification exams because they are central to PKI and security. For AWS Solutions Architect Associate (AWS-SAA), you might see scenarios where an application on EC2 needs an SSL certificate. You must know to generate a CSR on the EC2 instance or use AWS Certificate Manager (ACM) which abstracts the CSR process. Questions may test that ACM does not require you to manage CSRs, but if you import your own certificate, you must have the private key and certificate chain.
For Microsoft Azure Administrator (AZ-104), you may need to configure an App Service with a custom domain and SSL binding. This involves generating a CSR from the Azure portal or from an on-premises CA. The exam may ask about the steps to create a CSR and upload the issued certificate. Similarly, MS-102 and SC-900 cover Microsoft 365 and security fundamentals, where CSRs are relevant for configuring custom domains with TLS.
For CompTIA Security+ (Security-Plus), CSRs are a core topic in PKI. You need to understand the entire lifecycle: generation, submission, validation, issuance, installation, and renewal. Expect multiple-choice questions about what information is included in a CSR, the purpose of the signature, and the order of operations. For example, a question might ask: 'Which component of the CSR proves that the requester possesses the private key?' The correct answer is the digital signature.
For CySA+ and CISSP (ISC2-CISSP), CSRs are discussed in the context of certificate management, security controls, and PKI governance. You might encounter questions about the security implications of CSR generation, such as the risk of generating a CSR on a compromised system. The exam may test your ability to identify correct procedures for CSR generation in an enterprise environment, especially for code signing or document signing certificates.
For MD-102 (Microsoft Certified: Modern Desktop Administrator), CSRs might appear in the context of managing certificates for Windows devices, including client authentication certificates for Wi-Fi or VPN. You may need to know how to create a CSR using the Certificates MMC snap-in or using PowerShell.
In all these exams, common question patterns include: - Identifying the correct CSR fields (CN, O, OU, etc.). - Understanding the difference between a CSR and a certificate. - Knowing that the private key must not be sent with the CSR. - Recognizing that the CSR must be signed with the private key. - Troubleshooting scenarios where a certificate does not work because the CSR contained an incorrect CN. - Steps to generate a CSR on Windows Server or Linux.
Given the breadth, mastering CSRs is not just about memorizing steps but understanding the underlying trust model. Many exam questions test your ability to reason about what goes wrong when the CSR process is flawed.
Simple Meaning
Imagine you want to open a new bank account. The bank needs to know who you are before they can issue you a debit card. You fill out an application form with your name, address, date of birth, and other personal details. You also provide a copy of your photo ID. The bank checks everything, and if it's all good, they issue you a branded card that proves you are a legitimate account holder. In the digital world, a Certificate Signing Request (CSR) is that application form, and the Certificate Authority (CA) is the bank.
A CSR is a block of encoded text that contains your identifying information (like your domain name, organization name, location, and email) along with your public key. The public key is like the unique signature on your application that only you can match with your private key. You must generate the CSR on your own server or device, and you never reveal your private key to anyone. The CA uses the information in the CSR to verify that you are indeed the owner of the domain or organization you claim to be.
Once the CA is satisfied, they use their own private key to digitally sign the CSR, creating a digital certificate. This certificate is like the signed, stamped bank card that proves your identity to others. Anyone who trusts the CA can then trust your certificate. The CSR itself is not the certificate, it is the request that starts the process.
One key point is that the CSR contains your public key, but it also includes a digital signature created with your private key. This signature proves that you possess the private key that matches the public key in the request. It is a way of saying, 'This is my public key, and I am the only one who has the matching private key.' Without this proof, anyone could claim any public key as their own.
In practice, you generate a CSR using a tool like OpenSSL on your web server. The output is a base64-encoded block of text that you paste into the CA's website or upload as a file. The CA then processes it, validates your details, and sends back the signed certificate. You then install that certificate on your server, and your website becomes trusted by browsers and other clients.
A simple way to think about it is that a CSR is the 'request for a digital passport.' You provide your photo (public key) and your personal details, and a trusted government (CA) issues you a passport (digital certificate) that proves who you are when you travel online.
Full Technical Definition
A Certificate Signing Request (CSR) is a standardized data structure defined in PKCS (Public-Key Cryptography Standards) #10, which is formally known as RFC 2986. It serves as the initial step in the Public Key Infrastructure (PKI) enrollment process, enabling an entity (such as a web server, a user, or an IoT device) to request a digital certificate from a Certificate Authority (CA). The CSR encapsulates two fundamental components: the subject's identifying information (the Distinguished Name or DN) and the subject's public key. Critically, the CSR is digitally signed by the subject's private key, providing proof of possession of the corresponding private key.
The structure of a CSR according to PKCS#10 includes the following elements:
1. CertificationRequestInfo: This is the core data structure containing: - Version: Typically set to 0 (decimal) indicating PKCS#10 v1.0. - Subject: The Distinguished Name (DN) of the entity requesting the certificate. The DN comprises attributes such as Common Name (CN), Organization (O), Organizational Unit (OU), Locality (L), State/Province (ST), Country (C), and Email Address (E). For SSL/TLS certificates, the CN must exactly match the fully qualified domain name (FQDN) of the server. - SubjectPublicKeyInfo: This field contains the public key algorithm identifier (e.g., RSA or ECDSA) and the public key itself. The public key is typically 2048-bit or higher for RSA, or 256-bit for ECDSA. - Attributes (optional): This field may include additional information such as challenge passwords, extension requests (e.g., Subject Alternative Names or key usage extensions), or organizational details.
2. SignatureAlgorithm: Specifies the algorithm used to sign the CSR, such as sha256WithRSAEncryption or ecdsa-with-SHA256.
3. Signature: A digital signature computed over the CertificationRequestInfo using the private key corresponding to the public key in the request. This signature binds the identity information to the private key.
The CSR is encoded using ASN.1 (Abstract Syntax Notation One) and then typically encoded in Base64 within a PEM (Privacy Enhanced Mail) format, often encapsulated between '-----BEGIN CERTIFICATE REQUEST-----' and '-----END CERTIFICATE REQUEST-----' headers.
The process of generating a CSR:
- First, the applicant generates a key pair (public and private) locally. The private key must be kept confidential and stored securely. - Next, the applicant constructs the CSR payload containing the desired DN and public key, along with any optional attributes. - The applicant signs the CSR with their private key to prove ownership. - The CSR is sent to the CA (typically via a web form, API, or email). - The CA verifies the signature using the public key in the CSR. If the signature validates, the CA knows that the requester holds the private key. - The CA then performs identity validation according to its policies (Domain Validation, Organization Validation, or Extended Validation). - After successful validation, the CA issues a digital certificate by signing the public key and identity information with the CA's own private key, creating a certificate that is trusted by browsers and other clients.
In exam contexts, it is crucial to understand that the CSR is never the certificate itself. The CSR is the request, and the certificate is the response. Also, the private key used to sign the CSR must match the public key in the CSR. If the private key is lost or compromised, the certificate becomes useless. The CA validates the CSR's signature before proceeding with any issuance.
Modern protocols like ACME (Automated Certificate Management Environment), used by Let's Encrypt, still rely on the CSR concept, albeit with automated validation and issuance. In such cases, the CSR includes proof of domain control via challenges rather than manual verification.
Understanding CSRs is foundational for any IT professional working with web servers, email servers, VPNs, code signing, or any system that relies on PKI. Misconfigurations at the CSR generation stage can lead to certificate validation failures, domain mismatch errors, or security vulnerabilities.
Real-Life Example
Think of the process of getting a driver's license. You want to prove that you are qualified to drive, and your license is the official document that shows you are allowed to do so. The Certificate Signing Request (CSR) is like the written application form you fill out at the Department of Motor Vehicles (DMV). Here's how the analogy maps:
You first need to prove your identity. You bring your birth certificate, social security card, and a utility bill with your address. These documents are like your private key, they are uniquely yours and you never give them away. You fill out the application form (CSR) with your name, address, date of birth, and other personal information (Distinguished Name). You also submit a photo (your public key) that will appear on the license. You sign the application with your own signature (signing the CSR with your private key) to confirm that the information is true.
You then hand the application to the DMV clerk (the Certificate Authority). The clerk checks that your signature matches the one on file, verifies your documents, maybe runs a background check. This step is the validation process. Once the clerk is satisfied, they take your photo and print your driver's license (the digital certificate). The license includes your photo (public key), your name, address (identity), an expiration date (validity period), and the state seal (CA's digital signature).
Now, when a police officer stops you (a browser connecting to your website), you show your license. The officer trusts the license because it is issued by a trusted authority (the DMV, which is like a CA). The officer can verify the authenticity by checking the state seal and holograms (the CA's digital signature). If your license looks fake or expired, the officer will not trust it. Similarly, if your SSL certificate is expired or signed by an untrusted CA, browsers will display warnings.
One crucial difference: in the real world, you cannot generate your own driver's license. The DMV must authenticate you first. In the digital world, you generate your own CSR with your own public and private keys, but only a trusted CA can issue the final certificate that others will trust. The CSR is your formal, signed request to be recognized as a legitimate online identity.
Another important aspect: if you lose your private key (like losing your social security card), you cannot get a replacement or renew the certificate using the old key. You would have to generate a new key pair and a new CSR, and go through the entire process again. Similarly, if you move and change your address (change your domain name), you need a new application (CSR) for a new license (certificate) because the old one no longer matches your identity.
Just as you can apply for multiple licenses for different purposes (e.g., a commercial driver's license vs. a regular license), you can generate multiple CSRs for different services. Each CSR generates a unique certificate bound to the specific domain and key pair. You wouldn't use your regular driver's license to fly a plane; similarly, you wouldn't use a code signing certificate on an email server.
Why This Term Matters
The Certificate Signing Request is the very first step in establishing trust in any public key infrastructure. Without a CSR, you cannot formally request a certificate from a trusted CA. The CSR ensures that the certificate request is authentic and that the applicant possesses the corresponding private key. This prevents attackers from claiming someone else's public key as their own.
In practical IT, if you are a system administrator setting up an HTTPS website, you must generate a CSR on your server. This CSR must contain the exact domain name that visitors will type. If the CSR has a wrong common name or missing SANs, the certificate will not work properly, causing browser warnings and potential security alerts. A misconfigured CSR can lead to downtime, lost customer trust, and even regulatory fines if sensitive data is compromised.
The CSR process also enforces best practices for key management. Since the private key is generated locally and never leaves the server, it reduces the risk of key exposure. Many certificate-related security breaches happen because private keys are shared or stored insecurely. The CSR workflow inherently protects the private key.
For IT professionals, understanding CSRs is critical for troubleshooting certificate issues. For instance, if a certificate is not trusted, the problem might be that the CSR had an incorrect organization name (O) which the CA did not validate. Or, the CSR might have used an outdated hash algorithm like SHA-1, which the CA rejected. Therefore, knowing how to generate a proper CSR, what fields to fill, and what security settings to apply, is a fundamental skill.
CSRs are not only for SSL/TLS. They are used in email signing (S/MIME), code signing, document signing, client authentication, and even in VPN certificates. In each case, the CSR carries different attributes and extensions. For example, a code signing CSR may include the application publisher name, while an email certificate CSR must include the email address in the subject.
In the era of automation, CSRs remain relevant. Tools like the ACME protocol still use the CSR concept but automate the generation and submission. So even if you never manually type a CSR command, understanding the underlying structure helps you debug automatic certificate renewals and misconfigurations.
How It Appears in Exam Questions
In certification exams, CSR questions typically fall into three categories: scenario-based, configuration-based, and troubleshooting-based.
Scenario-based questions often present a story. For example: 'A company wants to secure its e-commerce website with HTTPS. The administrator has generated a key pair and a CSR. Which of the following must be submitted to the CA?' The answer choices may include 'the private key,' 'the CSR,' 'the public key only,' or 'the domain name only.' The correct answer is the CSR, which contains both identity and public key.
Another scenario: 'A sysadmin receives a certificate from a CA but the browser shows a warning that the certificate is not trusted. What is the most likely cause?' Options might include 'the CSR was not signed,' 'the private key was included in the CSR,' 'the CSR had an incorrect Common Name,' or 'the CA's root certificate was missing.' The correct answer typically involves a mismatch between the CSR's Common Name and the actual domain.
Configuration-based questions ask about the correct steps or tools. Example: 'Which OpenSSL command generates a CSR for a web server?' Options: openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr. You need to recognize the correct flag for output files and key size. Another variation: 'In Windows Server, which tool can be used to create a CSR?' (Answer: Internet Information Services (IIS) Manager, or Certificates MMC for a computer certificate).
Troubleshooting questions describe a failure. For instance: 'After installing a certificate on a web server, clients receive an error that the certificate is not valid for the website. The CSR was generated with CN=www.example.com, but the website is accessed via example.com (without www). What must be done to fix this?' The answer is to generate a new CSR that includes the domain as a Subject Alternative Name (SAN) and reissue the certificate.
Another troubleshooting scenario: 'An administrator attempts to renew a certificate but cannot find the original private key. What is the result?' The correct answer is that the private key is required to use the existing certificate; without it, a new key pair and CSR must be generated, resulting in a new certificate. This tests understanding that the private key is unique to each CSR/certificate.
Multiple-choice questions may also present a CSR in encoded format and ask which field corresponds to a given attribute. For example, they might show a portion of a CSR decoded with OpenSSL and ask: 'Which line represents the common name?' The learner must locate the CN field.
Some exams, like CISSP, may ask conceptual questions such as: 'What is the primary security benefit of requiring the CSR to be signed by the applicant's private key?' (Answer: Proof of possession of the private key, preventing impersonation.)
These question types require not just recall but applied understanding. Practice with OpenSSL and Microsoft CA tools will help solidify the concept.
Practise Certificate signing request Questions
Test your understanding with exam-style practice questions.
Example Scenario
You are a junior system administrator at a small company called 'GreenLeaf Books.' The company wants to launch an online store at www.greenleafbooks.com. The CEO wants customers to feel safe entering their credit card information, so you need to install an SSL certificate on the web server. Your manager asks you to request a certificate from a trusted CA like DigiCert.
Here is the step-by-step scenario as you would experience it:
First, you log into the company's web server running Ubuntu Linux. You open a terminal and generate an RSA private key using the command openssl genrsa -out greenleaf.key 2048. This creates a file named greenleaf.key that contains the private key. You set strict file permissions so only root can read it. You know that if this key is stolen, anyone can impersonate your website.
Next, you generate a Certificate Signing Request using openssl req -new -key greenleaf.key -out greenleaf.csr. The tool asks you for information interactively: Common Name (enter www.greenleafbooks.com), Organization (GreenLeaf Books LLC), Organizational Unit (IT Department), City/Locality (Portland), State/Province (Oregon), Country (US), and Email (admin@greenleafbooks.com). You also include Subject Alternative Names via a config file to ensure that 'greenleafbooks.com' without www also works. The tool outputs a file greenleaf.csr.
You open greenleaf.csr in a text editor and see a block of seemingly random text starting with '-----BEGIN CERTIFICATE REQUEST-----.' You copy this entire block and paste it into the CA's enrollment web page. The CA asks you to select the validation level: Domain Validation (DV) is fastest. You choose DV, and the CA sends an email to admin@greenleafbooks.com with a verification link. You click the link, proving you control the domain.
The CA now validates the signature on the CSR. They confirm that the public key matches the private key you used. After this validation, they issue an SSL certificate file (greenleaf.crt) which you download. You upload this certificate to your web server and configure Apache or Nginx to use greenleaf.key and greenleaf.crt. You restart the web service.
Now, when a customer visits https://www.greenleafbooks.com, their browser receives your certificate, checks that it is signed by a trusted CA, verifies that the domain name matches, and establishes a secure connection. The whole process succeeded because you generated a correct CSR.
If you had mistakenly entered 'greenleafbooks.com' without 'www' as the Common Name and did not include SANs, the certificate would only work for that exact hostname. Users browsing to 'www.greenleafbooks.com' would see a security warning. That is why careful CSR generation is critical.
Common Mistakes
Including the private key in the CSR submission.
The private key must never be shared with anyone, including the CA. If the CA has your private key, they (or an attacker who compromises the CA) could impersonate your server. The CSR only contains the public key, not the private key.
Only send the CSR file (e.g., server.csr) to the CA. Keep the private key (e.g., server.key) secured on your own server. If you think you accidentally included the private key, generate a new key pair immediately.
Using an incorrect Common Name (CN) that does not exactly match the domain name.
The browser compares the CN (and SANs) in the certificate with the domain in the URL. If they do not match exactly, the browser will display a security warning indicating the certificate is not valid for that site. Even a missing 'www' prefix can break trust.
Double-check the domain name you want to secure. For the root domain (e.g., example.com) and 'www' subdomain, include both as Subject Alternative Names (SANs). Use the exact FQDN as the CN if not using SANs. Always test with your browser after installation.
Generating the CSR on a different server or machine than where the private key will reside.
The private key that signed the CSR is the only key that can be used with the issued certificate. If you generate the CSR on your laptop and then install the cert on a production server, you must copy the private key from your laptop to the server, which is a security risk and may not be allowed. If you lose the laptop, you lose the key.
Generate the CSR directly on the server where the certificate will be installed. If that is not possible, generate the key pair on a secure offline machine, then securely transfer the private key (encrypted) to the server, and immediately delete it from the source. Better yet, use a Hardware Security Module (HSM) if available.
Failing to include Subject Alternative Names (SANs) when multiple domains or subdomains need to be secured.
A single certificate can cover multiple domain names only through SANs. Without SANs, the certificate is valid only for the exact CN. This is a common cause of 'certificate name mismatch' errors. Modern browsers require SANs for multi-domain certificates.
When generating the CSR, specify all domains and subdomains you plan to use as SANs. For OpenSSL, use a configuration file with the subjectAltName extension. For example, SAN=DNS:example.com,DNS:www.example.com,DNS:mail.example.com. Ensure the CA's certificate type supports SANs (most web SSL certs do).
Using an outdated or weak cryptographic algorithm (e.g., SHA-1 or 1024-bit RSA key) in the CSR.
Modern browsers and security policies reject certificates signed with weak algorithms like SHA-1 or short key lengths (under 2048 bits for RSA). The CA may also reject the CSR outright. This leads to certificate issuance failure or browser warnings.
Always use at least a 2048-bit RSA key or a 256-bit ECDSA key. Use a signature algorithm like SHA-256 or stronger. Check the CA's requirements before generating the CSR. Most CAs enforce minimum key lengths and hash algorithms.
Submitting a CSR with incomplete or incorrect Distinguished Name (DN) fields.
For Organization Validated (OV) and Extended Validated (EV) certificates, the CA will verify the Organization (O), Locality (L), and other fields against official business registries. If the data is wrong or inconsistent, the CA will reject the application, causing delays or cancellation.
Enter your exact registered legal business name (O) as it appears on official documents. Use consistent locality and state information. For Domain Validated (DV) certificates, only the CN and SANs matter, but it is still good practice to be accurate.
Not storing the CSR file or not keeping record of the DN used.
When you need to renew or reissue a certificate, you might need the original CSR or at least the exact DN used. If you lose the CSR or forget the fields, you may have to re-enter everything, potentially causing mismatches or requiring new validation.
Save a copy of the CSR file (e.g., server.csr) in a secure location. Also document the DN attributes and any SANs used. For automated systems, use a configuration file that can be reused. If using ACME, the protocol handles this automatically.
Exam Trap — Don't Get Fooled
{"trap":"Learners often think that the CSR itself is the final certificate that can be installed on a server.","why_learners_choose_it":"The CSR and the final certificate look similar, both are blocks of encoded text with headers. Learners might confuse the two, especially in exam questions that show a CSR and ask if it is ready to install.
Also, some guided setups (like Let's Encrypt) automate the process, so learners don't see the distinction.","how_to_avoid_it":"Remember: The CSR is a request (like an application form). The certificate is the signed response from the CA.
Only the certificate (signed by the CA) can be used on a server. The CSR contains the words 'CERTIFICATE REQUEST' in its header, while the certificate says 'CERTIFICATE.' Always identify which one you are looking at.
In exams, if you see a block with 'BEGIN CERTIFICATE REQUEST,' it is not ready to install."
Commonly Confused With
A digital certificate is the final, signed document issued by a CA, containing the subject's public key and identity, signed by the CA. A CSR is the unsigned request used to obtain that certificate. The CSR is never installed on a server; only the certificate is. The CSR is like a job application; the certificate is the official employment letter.
You send a CSR (application) to the CA, and they send back a certificate (employment letter). You never show the application to your customers, only the signed letter.
The private key is a secret key used to sign the CSR and later to decrypt traffic. The CSR contains only the public key, not the private key. Learners often think the CSR includes the private key because both are generated together. The private key is never sent to the CA.
Your private key is like your house key, you keep it at home. Your CSR is like a signed note that says 'I own this key,' but you only show the note (CSR) to the locksmith (CA), not the key itself.
The public key is part of the key pair and is included in the CSR. However, the CSR is a structured message that also contains identity information and a signature. The public key alone is just the cryptographic key, not a request. You cannot get a certificate by sending only a public key; you must send a CSR.
Think of the public key as your phone number. The CSR is a full application form that includes your phone number along with your name and address. Just giving your phone number to the CA is not enough to get a certificate.
A CRL is a list of certificates that have been revoked before their expiration date. It is completely unrelated to the CSR process. CSR is about requesting a new certificate; CRL is about invalidating an existing one. They are opposite ends of the certificate lifecycle.
CSR is like applying for a new driver's license. CRL is like a list of licenses that have been suspended or revoked. One is a request, the other is a status list.
A self-signed certificate is a certificate that is signed by the same entity's private key rather than a CA. No CSR is needed for a self-signed certificate because you are acting as your own CA. However, self-signed certificates are not trusted by default by browsers. CSRs are used specifically to get a certificate from a trusted third-party CA.
Self-signed is like writing a recommendation letter for yourself. CSR is like asking a professional mentor to write that letter for you.
Step-by-Step Breakdown
Generate a Cryptographic Key Pair
The first step is to create a public/private key pair on the server or device that will use the certificate. This is usually done with OpenSSL or a similar tool. The private key must be stored securely and never shared. The public key will be included in the CSR. The key algorithm (RSA or ECDSA) and size (e.g., 2048-bit RSA) must meet current security standards.
Assemble Identity Information (Distinguished Name)
Collect the identifying details about the entity requesting the certificate: Common Name (CN), Organization (O), Organizational Unit (OU), City/Locality (L), State (ST), Country (C), and Email. For a web server, the CN must be the exact domain name. For DV certificates, only the CN matters, but for OV/EV, all fields are verified against official records.
Include Subject Alternative Names (Optional but Recommended)
If the certificate needs to be valid for multiple domains or subdomains, they must be specified as Subject Alternative Names (SANs). This is critical for modern web browsers, which will reject a certificate if the domain does not match the CN or SANs. The SANs are embedded in the CSR as an attribute.
Build the CertificationRequestInfo Structure
The software constructs an ASN.1 data structure called CertificationRequestInfo. This contains the version number (0 for v1), the subject DN, the SubjectPublicKeyInfo (algorithm and public key), and any optional attributes (like SANs or challenge password). This is the raw data that will be signed.
Sign the CertificationRequestInfo with the Private Key
The CertificationRequestInfo is digitally signed using the private key that was generated in step 1. The signature algorithm (e.g., SHA-256 with RSA) is applied. This signature proves to the CA that the requester holds the corresponding private key. Without this signature, the CSR is invalid and would be rejected.
Encode the CSR in PEM Format
The signed CSR structure is encoded using DER (Distinguished Encoding Rules) and then converted into Base64 text, wrapped with the header '-----BEGIN CERTIFICATE REQUEST-----' and footer '-----END CERTIFICATE REQUEST-----.' This PEM format is what is submitted to the CA. It is a text file that can be copied and pasted.
Submit the CSR to a Certificate Authority
The PEM-encoded CSR is sent to a CA via their web portal, API, or email. The CA first validates the structure and signature. If the signature is valid, they proceed to verify the identity of the requester (via email, DNS, or document checks). This step may take minutes to days depending on the validation level.
CA Issues a Digital Certificate
After successful validation, the CA creates a digital certificate by taking the public key and identity from the CSR, adding a serial number, validity period, and other extensions, and signing the entire structure with the CA's own private key. The result is a signed certificate, typically in PEM format, which is sent back to the requester.
Install the Certificate on the Server
The final step is to install the issued certificate on the server that holds the corresponding private key. The server software (Apache, Nginx, IIS) is configured to use the private key and certificate file. The CSR file is no longer needed, though it may be kept for future renewals. The certificate is now trusted by clients that trust the CA.
Practical Mini-Lesson
In real-world IT environments, generating a Certificate Signing Request (CSR) is a routine but critical task. The process varies slightly depending on the platform (Windows, Linux, macOS) and the server software (IIS, Apache, Nginx, Tomcat), but the core principles remain the same. As a professional, you must be comfortable with both command-line tools and graphical tools.
On Linux, OpenSSL is the standard. The command openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr generates a private key and CSR in one step. The -nodes flag means the private key is not encrypted with a passphrase (for web servers, it is common to avoid passphrase prompts). You can then review the CSR using openssl req -text -noout -verify -in server.csr. This shows the DN, public key, and signature. If the signature is valid, the output will include 'Certificate request self-signature verify OK.' Always verify your CSR before submission to avoid errors.
On Windows, you can generate a CSR using IIS Manager: select your server, go to Server Certificates, then 'Create Certificate Request.' A wizard guides you through the DN and key settings. The output is a base64-encoded CSR file. You can also use PowerShell with the System.Security.Cryptography namespace, but the IIS method is more common. For Microsoft CA or Azure, you may use the Certificates MMC.
One critical practical consideration: the private key must be stored securely. On Linux, set permissions to 600 (owner read/write only). On Windows, use ACLs to restrict access to the machine account and administrators. If using a load balancer, the private key may need to be on every node. In that case, consider using a centralized certificate store or a hardware security module (HSM).
Another real-world nuance: Some CAs offer CSR generation tools or web forms that ask you to paste your public key instead of the full CSR. However, this is less secure because you must manually separate the public key. Always use a proper CSR for the highest compliance.
Troubleshooting CSR issues in production: - If the CSR is rejected with 'invalid signature,' the private key may have been modified or corrupted. Regenerate both. - If the certificate does not match the domain, check the CN and SANs in the CSR with openssl req -text -noout -in csr.pem | grep -A1 'Subject Alternative Name'. - If the certificate works but browsers show 'not trusted,' the CA root certificate may not be present in the server's trust store (but this is not a CSR issue). - If you get a 'bad CSR' error from the CA, try copying the CSR without extra whitespace or line breaks.
For advanced use, CSRs can include attributes like challenge passwords (for revocation) or custom extensions (e.g., keyUsage, extendedKeyUsage). For example, code signing certificates require the extendedKeyUsage extension with 'codeSigning' value. These extensions can be specified in an OpenSSL configuration file and referenced during CSR generation.
Finally, know that ACME (Automated Certificate Management Environment) does most of this automatically. However, if you ever need to debug an ACME failure, understanding the raw CSR format is invaluable. For instance, if Let's Encrypt fails with 'Invalid CSR,' you may need to check that the SANs exactly match the domain names you validated.
the practical skill set includes generating CSRs, verifying them, securely managing private keys, and knowing how to include the necessary extensions. Mastery of CSRs is a foundational skill for any IT security professional.
Troubleshooting Clues
Mismatched Common Name (CN)
Symptom: Certificate issued but browser shows 'Invalid name' or site is untrusted.
The CN in the CSR does not match the actual domain or hostname being accessed. Modern browsers also require SANs, not just CN.
Exam clue: Exams (Security+, CISSP) present a CSR output with a CN mismatch and ask why the certificate fails validation.
Missing Subject Alternative Names (SANs)
Symptom: CSR accepted by CA but certificate only works for the CN, not for additional subdomains.
The CSR was generated without SAN extensions; modern CA policies and browsers require SANs for multi-domain support.
Exam clue: AWS-SAA and MS-102 questions test that a CSR without SANs may cause certificate validation errors for alternate domains.
Key Size Too Small
Symptom: CA rejects CSR with 'Key size too small' error.
Some CAs enforce minimum key sizes (e.g., 2048-bit RSA). An older 1024-bit key is insecure and not accepted.
Exam clue: Appears in Security+ and CySA+ to reinforce compliance standards (e.g., FIPS 140-2) and best practices.
Incorrect Private Key Permissions
Symptom: OpenSSL fails with 'unable to load private key' or 'permission denied'.
The private key file has restrictive permissions (e.g., owned by root and non-readable) or is encrypted with a passphrase not provided.
Exam clue: AZ-104 and Linux admin scenarios test permission troubleshooting (e.g., chmod 600) for private key files.
Signature Verification Failure
Symptom: 'openssl req -verify' returns 'verification failure' or error.
The CSR's signature does not match the embedded public key, indicating data corruption or tampering.
Exam clue: CySA+ and CISSP questions use this to test incident detection: a failed verify suggests a compromised CSR.
Subject Formatting Errors
Symptom: CA returns 'Invalid subject line' or 'Wrong character encoding'.
The subject string contains unescaped special characters (e.g., commas, slashes) or uses incorrect DN syntax.
Exam clue: MS-102 and SC-900 exam questions present a CSR with a malformed subject and ask to identify the fix (e.g., escaping with backslashes).
Duplicate or Conflicting Extensions
Symptom: CA fails with 'extensions duplicated' or 'conflicting key usage' after CSR submission.
The CSR was generated with multiple extension sections (e.g., both basicConstraints and keyUsage defined incorrectly).
Exam clue: CISSP and AWS-SAA questions test understanding of CSR extensions, especially for CA certificates or code signing.
Learn This Topic Fully
This glossary page explains what Certificate signing request means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
CISSPCISSP →CS0-003CompTIA CySA+ →SY0-701CompTIA Security+ →MD-102MD-102 →MS-102MS-102 →AZ-104AZ-104 →SC-900SC-900 →200-301Cisco CCNA →SAA-C03SAA-C03 →N10-009CompTIA Network+ →Related Glossary Terms
AES is a fast and secure encryption standard used worldwide to protect sensitive data by scrambling it so only authorized parties can read it.
Asymmetric encryption is a cryptographic method that uses a pair of keys—a public key for encryption and a private key for decryption—to securely exchange data without sharing a secret.
Availability is the measure of how often a system or service is operational and accessible when needed, typically expressed as a percentage of uptime.
The CIA triad is a foundational security model that guides organizations in protecting data through confidentiality, integrity, and availability.
Confidentiality means keeping sensitive information secret and accessible only to authorized people or systems.
A Certificate Revocation List (CRL) is a published list of digital certificates that have been revoked by a Certificate Authority before their scheduled expiration date.
Quick Knowledge Check
1.Which command generates a CSR with an existing private key and sets the subject to CN=example.com?
2.A CSR submitted to a CA is rejected because the browser shows 'NET::ERR_CERT_COMMON_NAME_INVALID'. What is the most likely cause?
3.When generating a CSR for a web server that must serve both www.example.com and example.com, what must be included in the CSR?
4.After running 'openssl req -verify -in request.csr', you get 'Verification failure'. What does this indicate?
5.An administrator runs 'openssl req -new -key server.key -out server.csr' but gets 'unable to load private key'. What is the most probable cause?
6.Which of the following is a valid reason to convert a CSR from DER to PEM format?