What is a CSR and how to create one?

What is a CSR and how to create it?

Security is one of the most important principles of the digital world. Following it ensures the safety of data, excludes its interception by third parties. All information must be transmitted exclusively through secure connections, in encrypted form, for which SSL certificates are used. Before receiving them, however, you need to create a special request, CSR. What is hidden behind this abbreviation? How to generate a request correctly?

General concept

The abbreviation CSR stands for “certificate signing request”, that is, a request for a digital signature for a certificate. It must contain information about the domain name, the enterprise planning to use the certificate.

The SSL protocol guarantees the security of the communication session between the client and the server, all data is encrypted, and therefore even their probable interception will be meaningless. All valuable information, for example, bank card details, passwords for logging into accounts, will not be available to intruders.

The absence of an SSL certificate dramatically reduces the level of trust in the site, moreover, many browsers automatically block the transition to them, warning the user about the insecurity, insecurity of the connection, the risk of losing confidential information.

CSR structure

A CSR consists of the following elements:

• Private key. A special key created together with the CSR, the main function of which is to encrypt the transmitted information.
• Public key. Formed on the basis of the previous one, integrated into the request.
• Data about the enterprise. Name of the individual, name of the user organization, regional, state affiliation.
• Domain name.

How to sign a certificate?

To sign an SSL certificate, you need to not only create a CSR request, but also send it for review to the certification center. The task of the center is to check the specified data, make sure it is correct and issue the SSL. First of all, the organization checks the following:

• The legitimacy of the domain. For this, DNS records are analyzed or other methods are used.
• Documents provided by the company or individual. This is not always done, but only when applying for high-level EV SSL.
• Organization activities. Relevant for OV SSL.

Creating a CSL request: methods and instructions

The simplest way to generate a CSR is to contact a provider that provides hosting services. This eliminates unnecessary difficulties, allows you to quickly obtain a certificate, install it and start using it.

The second option is independent, using OpenSSL. This method is universal, makes it possible to keep the process under absolute control, to obtain a result that is 100% consistent with all servers and platforms. OpenSSL has alternatives, however, this program is functional and effective, in addition, it is distributed free of charge, eliminating unnecessary expenses.

To create the required certificate, you need to install the program on the server or PC. The easiest way is to download it from the official website. Further actions are more complicated, and therefore require a more detailed analysis.

Creating a private key

This is done using the command line, by executing the command “openssl genrsa -out private.key 2048”. Each part of this command has a strictly defined meaning:

• Genrsa is the main command that starts generation;
• -out private.key – indicates the name of the file where you plan to store the key;
• 2048 – file size, expressed in bits. 2048 is the minimum recommended value, providing a sufficient level of security. It is recommended to use larger files if possible.

Preparing a request

Once the key has been created, you can proceed to forming a request using the command “openssl req -new -key private.key -out domain.csr”. As in the previous case, each component of the command has its own tasks:

• req –new – the basic part that activates the preparation of the CSR;
• -key private.key – indicates the path to the key made in the previous step;
• -out domain.csr – the file where you plan to store the CSR.

Specifying information

After executing the command specified earlier, the program will issue a list of characteristics that should be specified in detail:

• Country. The state where the domain is registered. For example, for the United States, the abbreviation “US” is indicated, and for Great Britain, “UK”.
• State or Province. The region where the enterprise is registered, the individual is registered.
• Locality Name. The locality where the enterprise is registered, the individual is registered.
• Organization Name. In this column, you must specify the full name of the enterprise, without abbreviations, the same as in the documents, or the full name of the individual.
• Organization Unit. The name of the department within the enterprise that will use the certificate.
• Common Name. Domain name. Specify in full, without abbreviations and acronyms.
• E-mail. Contact e-mail, with which you can quickly contact the administrator to resolve technical issues and problems.

What should be taken into account?

Before creating a CSR request, or registering an SSL certificate, you need to take into account several important points. For example, the key size. The minimum recommended value, which allows you not to worry about security, is 2048 bits. If maximum reliability is required, it is recommended to increase the key to 4096 bits.

Of course, even the most reliable key will be useless if third parties gain access to it. Transferring it into the wrong hands, as well as storing it on unprotected storage media, is unacceptable.

We must not forget about the one-time use of CSR. If it is necessary to renew or reissue the certificate, a new key and CSR must be generated. This approach eliminates the risks associated with vulnerability.

Author of the article:

Editor-in-Chief

Danaev Almaz