A CSR is essential in creating an SSL/TLS Certificate to establish secure communications in website encryption. The CSR includes the necessary information for the request to make these certificates and is encoded in PKCS#10 format, the standard for certificate requests.
What a CSR looks like
Here’s an example of what a CSR might look like in PEM format:
-----BEGIN CERTIFICATE REQUEST----- MIICWzCCAUMCAQAwgYExCzAJBgNVBAYTAkFVMREwDwYDVQQIDAhRdWVlbnNsYW5k MREwDwYDVQQHDAhCcmliYW5lMRQwEgYDVQQKDAtNeU9yZ0x0ZC5hdTEaMBgGA1UE ggEBAN+lLpNpeK/VVjl12JSzURrCxEj5HZwPVb... -----END CERTIFICATE REQUEST-----
Base64 encoding is used in contexts like Certificate Signing Requests (CSRs) for practical and technical reasons, making it ideal for representing binary data as text.
Main Components of a CSR when decoded
- Public Key:
- The CSR contains the public key of a public-private key pair. The public key will be embedded in the issued certificate, while the private key remains securely stored on the requester’s system.
- Distinguished Name (DN): The DN specifies the identity of the entity requesting the certificate and includes:
- Common Name (CN): The fully qualified domain name (FQDN), such as www.example.com. For wildcard certificates, it may include a wildcard character (*.example.com).
- Organisation (O): The name of the organisation requesting the certificate.
- Organisational Unit (OU): The department or subdivision within the organisation (optional).
- Locality (L): The city or location of the organisation.
- State/Province (ST): The region or state.
- Country (C): The two-letter ISO code for the country (e.g., AU for Australia).
- These fields are part of the X.509 certificate standard.
- Key Algorithm and Hash Algorithm:
- The CSR specifies the key algorithm used (e.g., RSA or ECC) and the hash algorithm for signing the request (e.g. , SHA-256, SHA-384).
- Most modern CSRs use SHA-256 as it is highly secure and widely supported.
- Extensions (Optional):
- CSRs can also include extensions such as:
- Subject Alternative Names (SANs): Lists additional domains or IP addresses the certificate should cover.
- Key Usage and Extended Key Usage: Defines the key's use (e.g., digital signature, key encipherment).
- CSRs can also include extensions such as:
How a CSR is Used
A Certificate Signing Request (CSR) is used to obtain a digital certificate during the certificate issuance process. First, the requester submits the CSR to a Certificate Authority (CA). The CA then validates the information provided in the CSR, ensuring it aligns with industry standards and verifying details such as domain ownership and organisational identity. Once the validation process is complete, the CA issues an X.509 certificate, which includes the public key and other details from the CSR. The certificate is then returned to the requester, who installs it on the appropriate server.
If you would like to create a CSR you can use our free CSR Generator here.