What Is a Certificate Signing Request (CSR) and How Does It Work?
A Certificate Signing Request — commonly abbreviated as CSR — is a block of encoded text that an applicant submits to a Certificate Authority (CA) when requesting a digital SSL/TLS certificate. It's the starting point for securing a website, server, or application with encryption. Understanding what a CSR contains, how it's generated, and what happens to it helps clarify how the entire certificate lifecycle works.
The Core Purpose of a CSR
When a web server needs an SSL/TLS certificate, it can't just ask a CA to "trust me." Instead, it must prove its identity and provide the public key it intends to use. That's exactly what a CSR does — it packages both pieces of information into a standardized, signed file.
A CSR accomplishes two things simultaneously:
- Delivers your public key to the CA so it can be embedded in the issued certificate
- Confirms you control the corresponding private key, because the CSR itself is signed using that private key
The CA never sees your private key. That key stays on your server, and that separation is fundamental to how public-key cryptography keeps the system secure. 🔐
What Information a CSR Contains
A CSR is typically encoded in PEM format (Base64-encoded text) and follows the PKCS#10 standard. Beneath that encoding, it carries structured fields known as the Distinguished Name (DN):
| Field | What It Represents | Example |
|---|---|---|
| CN (Common Name) | The domain or server name | example.com |
| O (Organization) | Legal business name | Acme Corp |
| OU (Organizational Unit) | Department (optional) | IT Security |
| L (Locality) | City | Austin |
| ST (State/Province) | State or region | Texas |
| C (Country) | Two-letter country code | US |
| SANs | Subject Alternative Names | www.example.com, api.example.com |
The Subject Alternative Names (SANs) field has become especially important. Modern browsers require SANs for certificate validation, so multi-domain or wildcard coverage is specified here rather than relying solely on the CN.
How a CSR Is Generated
CSR generation always happens in pairs — a public/private key pair is created at the same time. The process typically works like this:
- A private key is generated on the server (commonly 2048-bit or 4096-bit RSA, or elliptic curve alternatives like ECDSA)
- The CSR is created using that private key and the identity information above
- The CSR file is submitted to a CA
- The CA validates the request (checking domain ownership, and for OV/EV certificates, organizational identity)
- The CA issues a signed certificate that pairs with the private key already on the server
The most common tool for generating a CSR is OpenSSL, used via command line. Hosting control panels like cPanel, Plesk, and cloud providers' dashboards also offer GUI-based CSR generation, which abstracts the command-line process entirely.
Three Certificate Types That Use CSRs
Not every certificate has the same validation depth, and the CSR process reflects that:
Domain Validation (DV) certificates require only that you prove control of the domain — typically through a DNS record, email confirmation, or placing a file on the web server. The CA performs no identity checks beyond domain control. These are fast to issue, sometimes within minutes.
Organization Validation (OV) certificates require the CA to verify the legal existence of your organization in addition to domain control. The CSR must include accurate organizational details, which the CA cross-checks against business registries or other sources.
Extended Validation (EV) certificates involve the most rigorous vetting — legal status, physical address, operational status, and more. The CSR fields must be precisely accurate because they're used in that extended verification process.
Key Variables That Affect the CSR Process 🔑
How straightforward or complex your CSR process ends up depends on several factors:
- Key algorithm and size — RSA 2048-bit is widely compatible; RSA 4096-bit increases security but adds slight processing overhead; ECDSA offers strong security with smaller key sizes, but compatibility with older clients varies
- Single domain vs. wildcard vs. multi-domain — a wildcard CSR covers
*.example.com, while a multi-SAN certificate requires listing each domain in the request - Where it's generated — generating on the server itself is most secure; generating through a third-party panel means trusting that platform with key generation
- Certificate Authority requirements — different CAs have slightly different submission portals, validation workflows, and supported algorithms
- Renewal timing — CSRs are typically regenerated at renewal rather than reusing the old one, though some environments reuse existing keys intentionally
What Happens After You Submit a CSR
The CA uses the CSR's public key and verified identity information to issue a signed certificate. This certificate binds your public key to your verified identity and is signed with the CA's own private key — which is how browsers can verify it through the chain of trust.
Once you receive the certificate, it's installed on your server alongside the private key that was generated with the original CSR. The two must match; a certificate issued against one CSR cannot be used with a different private key.
If a private key is ever compromised or lost, a new key pair and a new CSR must be generated, and the certificate must be reissued — even if it hasn't expired.
The Variables That Make This Personal
The mechanics of what a CSR is and how it works are consistent across environments. Where things diverge is in the specifics: the certificate type that fits your use case, the key algorithm appropriate for your server and client base, how many domains need to be covered, which CA aligns with your compliance requirements, and how your infrastructure handles key storage and rotation.
Those details — your stack, your compliance environment, your traffic patterns, and your tolerance for manual processes — are what determine which approach actually fits.