Here's a detailed Knowledge Base (KB) Article explaining CSR (Certificate Signing Request), how to create it, and the critical role of the Private Key.
π Overview
A Certificate Signing Request (CSR) is a block of encoded text submitted to a Certificate Authority (CA) when applying for an SSL/TLS certificate. It includes information about the organization and the public key for the certificate.
This article will explain:
-
What a CSR is
-
How to create a CSR
-
What the private key is and why it is essential
-
Best practices for secure handling
π What is a CSR?
A CSR (Certificate Signing Request) is a file generated on a server that is requesting an SSL certificate. It contains:
| Field | Description |
|---|---|
| Common Name | The Fully Qualified Domain Name (FQDN) like www.example.com |
| Organization | The legal name of your company |
| Location Info | City, State, and Country |
| Public Key | Used by the CA to generate the SSL cert |
| Hash Algorithm | SHA256 is commonly used |
A CSR does not include the private key, but is mathematically linked to it.
π What is the Private Key?
The private key is a secret file generated with the CSR. It is used to:
-
Decrypt encrypted messages sent to your server
-
Digitally sign data to prove it came from your server
-
Work with the public key in the SSL certificate to enable HTTPS
β οΈ DO NOT share or expose your private key. If compromised, your secure connection is no longer secure.
𧩠What Information is in a CSR?
| Field | Example |
|---|---|
| Common Name (CN) | www.example.com |
| Organization (O) | Example Inc. |
| Organizational Unit | IT Department (optional) |
| Locality (L) | New York |
| State (S) | New York |
| Country (C) | US |
| Email Address | admin@example.com (optional) |
| Public Key Algorithm | RSA 2048-bit or ECC |
π οΈ How to Create a CSR (and Private Key)
π Windows Server (IIS)
-
Open IIS Manager β Click on the Server Name
-
Go to Server Certificates β Click Create Certificate Request
-
Enter required CSR fields (CN, O, C, etc.)
-
Select
2048or4096bit RSA key -
Save the
.reqfile (CSR).
The private key is automatically stored in Windows.
π Next Step: Submit the .req file to the Certificate Authority.
π Linux (OpenSSL)
Run this command:
Youβll be prompted to enter:
-
Country
-
State
-
Organization
-
Domain (CN)
This will generate:
-
yourdomain.csrβ The CSR to send to the CA -
yourdomain.keyβ Your private key (keep it safe!)
π Importance of the Private Key
| π Function | Description |
|---|---|
| Decryption | Works with public key to decrypt messages |
| Authentication | Proves your serverβs identity |
| Data Integrity | Prevents tampering during transmission |
| HTTPS | Enables the SSL handshake |
| Non-recoverable if lost | You must reissue the cert if lost |
π‘οΈ Security Tips
-
Store the private key on the same server that will use the SSL certificate.
-
Use file permissions to restrict access (e.g.,
chmod 600 yourdomain.key). -
Never send the private key over email or upload it to untrusted storage.
π§Ύ Best Practices for Managing CSR and Private Key
| Action | Recommendation |
|---|---|
| Generate key on server | Avoid using online CSR generators |
| Backup private key securely | Encrypt it or store in a secrets manager |
| Use strong algorithms | RSA 2048+ or ECC |
| Use different key pairs | Donβt reuse keys across different certificates |
π What Happens if the Private Key is Lost or Compromised?
| Scenario | Action |
|---|---|
| π Lost | Cannot use the certificate. You must reissue the certificate with a new CSR. |
| π΅οΈ Stolen | Someone could impersonate your server. You must revoke the certificate immediately. |