Here's a detailed Knowledge Base (KB) Article explaining CSR (Certificate Signing Request), how to create it, and the critical role of the Private Key.
🔍 Overview
A Certificate Signing Request (CSR) is a block of encoded text submitted to a Certificate Authority (CA) when applying for an SSL/TLS certificate. It includes information about the organization and the public key for the certificate.
This article will explain:
-
What a CSR is
-
How to create a CSR
-
What the private key is and why it is essential
-
Best practices for secure handling
📘 What is a CSR?
A CSR (Certificate Signing Request) is a file generated on a server that is requesting an SSL certificate. It contains:
| Field | Description |
|---|---|
| Common Name | The Fully Qualified Domain Name (FQDN) like www.example.com |
| Organization | The legal name of your company |
| Location Info | City, State, and Country |
| Public Key | Used by the CA to generate the SSL cert |
| Hash Algorithm | SHA256 is commonly used |
A CSR does not include the private key, but is mathematically linked to it.
🔐 What is the Private Key?
The private key is a secret file generated with the CSR. It is used to:
-
Decrypt encrypted messages sent to your server
-
Digitally sign data to prove it came from your server
-
Work with the public key in the SSL certificate to enable HTTPS
⚠️ DO NOT share or expose your private key. If compromised, your secure connection is no longer secure.
🧩 What Information is in a CSR?
| Field | Example |
|---|---|
| Common Name (CN) | www.example.com |
| Organization (O) | Example Inc. |
| Organizational Unit | IT Department (optional) |
| Locality (L) | New York |
| State (S) | New York |
| Country (C) | US |
| Email Address | admin@example.com (optional) |
| Public Key Algorithm | RSA 2048-bit or ECC |
🛠️ How to Create a CSR (and Private Key)
📍 Windows Server (IIS)
-
Open IIS Manager → Click on the Server Name
-
Go to Server Certificates → Click Create Certificate Request
-
Enter required CSR fields (CN, O, C, etc.)
-
Select
2048or4096bit RSA key -
Save the
.reqfile (CSR).
The private key is automatically stored in Windows.
📎 Next Step: Submit the .req file to the Certificate Authority.
📍 Linux (OpenSSL)
Run this command:
You’ll be prompted to enter:
-
Country
-
State
-
Organization
-
Domain (CN)
This will generate:
-
yourdomain.csr→ The CSR to send to the CA -
yourdomain.key→ Your private key (keep it safe!)
🔐 Importance of the Private Key
| 🔑 Function | Description |
|---|---|
| Decryption | Works with public key to decrypt messages |
| Authentication | Proves your server’s identity |
| Data Integrity | Prevents tampering during transmission |
| HTTPS | Enables the SSL handshake |
| Non-recoverable if lost | You must reissue the cert if lost |
🛡️ Security Tips
-
Store the private key on the same server that will use the SSL certificate.
-
Use file permissions to restrict access (e.g.,
chmod 600 yourdomain.key). -
Never send the private key over email or upload it to untrusted storage.
🧾 Best Practices for Managing CSR and Private Key
| Action | Recommendation |
|---|---|
| Generate key on server | Avoid using online CSR generators |
| Backup private key securely | Encrypt it or store in a secrets manager |
| Use strong algorithms | RSA 2048+ or ECC |
| Use different key pairs | Don’t reuse keys across different certificates |
🛑 What Happens if the Private Key is Lost or Compromised?
| Scenario | Action |
|---|---|
| 🔐 Lost | Cannot use the certificate. You must reissue the certificate with a new CSR. |
| 🕵️ Stolen | Someone could impersonate your server. You must revoke the certificate immediately. |