What Is a Certificate Request? A Clear Guide to How SSL/TLS Certificates Begin
When you visit a secure website, send an encrypted email, or connect to a corporate VPN, a digital certificate is working quietly in the background. But before any certificate can be issued, something called a certificate request has to happen first. Understanding what that is — and what it contains — helps you make sense of how internet security actually works.
The Basic Idea: Asking for Proof of Identity
A certificate request (also called a Certificate Signing Request, or CSR) is a formal, encoded message that an organization or individual sends to a Certificate Authority (CA) — a trusted third party like DigiCert, Let's Encrypt, or Sectigo — asking them to issue a digital certificate.
Think of it like applying for a passport. You submit your identity information and a photo, the government verifies it, and then issues an official document that others can trust. A certificate request works the same way, just for servers, software, and digital identities.
What a Certificate Request Actually Contains
A CSR is a structured file, typically encoded in Base64 PEM format, that bundles together two things:
Identity information — called the Distinguished Name (DN), this includes details like:
- Common Name (CN): The domain name (e.g.,
www.example.com) - Organization (O): Your company or entity name
- Locality (L), State (ST), Country (C): Geographic identifiers
- Subject Alternative Names (SANs): Additional domains or IPs the cert should cover
- Common Name (CN): The domain name (e.g.,
A public key — generated alongside a private key on your server. The public key is embedded in the CSR and will be included in the issued certificate. The private key never leaves your server.
The CA signs the public key and identity information together, creating a certificate that others can cryptographically verify.
How a Certificate Request Is Generated 🔐
The process starts on the server or device that will use the certificate — not at the CA. Here's the general flow:
- Generate a key pair — your server creates a public/private key pair (typically RSA 2048-bit or ECC 256-bit)
- Create the CSR — using tools like OpenSSL, Windows Server's IIS Manager, or a hosting control panel (cPanel, Plesk), you fill in your identity details and the CSR is assembled
- Submit the CSR — you paste or upload the CSR to your chosen CA
- Validation — the CA verifies your identity at one of three levels (more on that below)
- Certificate issued — the CA returns a signed certificate file you install on your server
The raw CSR looks like a block of scrambled text starting with -----BEGIN CERTIFICATE REQUEST-----. That's normal — it's Base64-encoded binary data.
Validation Levels: Not All Certificate Requests Are Treated Equally
One of the most important variables in the certificate request process is the validation level the CA applies before issuing the certificate. There are three tiers:
| Validation Type | What Gets Verified | Typical Use Case |
|---|---|---|
| Domain Validation (DV) | You control the domain | Personal sites, blogs, basic HTTPS |
| Organization Validation (OV) | Domain + organization identity | Business websites, APIs |
| Extended Validation (EV) | Rigorous legal + operational checks | Financial institutions, e-commerce |
DV certificates can be issued in minutes (Let's Encrypt automates this entirely). EV certificates can take days and require documentation. The CSR format is similar across all three — the difference is in what the CA checks before signing it.
Certificate Requests in Different Environments
Where and how you generate a CSR varies considerably based on your setup:
- Web hosting control panels — many hosts generate the CSR for you automatically when you request an SSL certificate
- Windows Server / IIS — has a built-in certificate request wizard in the management console
- Linux servers — OpenSSL commands are the standard approach (
openssl req -new -newkey rsa:2048 ...) - Cloud platforms — AWS Certificate Manager, Google-managed SSL, and Azure all abstract the CSR process away entirely in some configurations
- Code signing or email certificates — CSRs are also used for non-web certificates, like signing software binaries or enabling S/MIME encrypted email
What Can Go Wrong With a Certificate Request
A few common issues affect how CSRs behave in practice:
- Mismatched Common Name — if the CN doesn't exactly match the domain being secured, browsers will throw a warning
- Weak key length — RSA keys below 2048 bits are rejected by modern CAs
- Missing SANs — modern browsers require Subject Alternative Names; a CN-only certificate may not be accepted
- Private key loss — if you lose the private key generated with the CSR, the issued certificate becomes unusable
- CSR reuse — submitting an old CSR with a new request can cause key reuse issues; best practice is generating a fresh key pair each time
The Spectrum of Who Handles This — and How
For a solo developer spinning up a personal project, the entire CSR process might be invisible — automated tools like Certbot handle it end-to-end. For an enterprise IT team managing certificates across hundreds of servers, CSR generation follows strict internal policies, may involve hardware security modules (HSMs), and ties into a formal Public Key Infrastructure (PKI) framework.
Between those extremes sits everyone else: small business owners using hosting dashboards, developers deploying on cloud platforms, and IT generalists managing a handful of company domains. Each of those contexts changes which tools make sense, how much the process needs to be understood versus automated, and what validation level is appropriate.
The certificate request itself is technically straightforward — but the right approach to generating, submitting, and managing it depends entirely on the scale of what you're securing, the infrastructure you're working with, and how much of the process your environment already handles for you.