SSL/TLS certificates define how users interact with devices and websites in the modern world. Certificates also help establish secure means for internal communications. Without valid certificates, enterprises cannot facilitate a secure online experience for their customers or build user trust.
Businesses can obtain these certificates from CAs, organizations authorized to issue valid digital certificates. However, CAs require org-specific information to issue a certificate that reflects relevant details of the organization. This is why businesses create certificate signing requests.
A CSR initiated by an organization contains a variety of information, including the server's public key and the CA's name. Using this information, a CA will be able to create and issue a valid certificate.
Apart from the public key, a typical CSR contains the following information:
The Common Name is the fully qualified domain name of your organization. For example: manageengine.com
The Organization Name will be the full, legal name of your organization. This must be inclusive of suffixes, if any. For example: Zoho Corporation. The organization name cannot contain the following characters: < > ~ ! @ # $ % ^ * / \ ( ) ? . , &
The Locality field refers to the town, city, or village your organization belongs to. For example: Austin
The State field refers to the state your organization belongs to. For example: Texas
The Country field refers to the two-digit country code of your organization. For example: US
The email address field requires the email address of the admin or the employee who will oversee the whole process. For example: email@example.com
Before creating a CSR for an X.509 certificate, you will have to generate a public-private key pair. The public key will be sent to the CA along with the CSR, while the private key must be kept a secret and used for signing the information in the CSR.
You can create a CSR either manually or using certificate lifecycle management software.
To create a CSR manually, you will have to:
Log in to your server, then create an RSA private key with CSR using OpenSSL or keytool.
To invoke OpenSSL.
Indicates the generation of a new CSR.
-new -newkey rsa:2048
Generates a new 2048-bit RSA private key. Note: 4096-bit key pairs are more secure. If you wish to use them instead, replace 2048 with 4096.
Specifies the domain for which you're creating a new key. Replace domain_name with a name of your choice.
Specifies the name of the output file that stores your CSR. Replace MYCSR with a name of your choice.
To invoke Keytool.
Generates a new key pair.
The name used to identify the key pair in the keystore. Replace ALIAS with a name of your choice.
Specifies the algorithm (RSA, DSA, EC) to be used to generate the key pair.
Specifies the name of the keystore file that will store the key pair. Replace server.keystore with a file name of your choice.
Specifies the type of keystore that will be created. Replace TYPE with the keystore type of your choice (JKS, PKCS12, etc).
Note: You will require a user account with root privileges or the root credentials of the server. The server must also have OpenSSL or keytool installed. If you wish to use keytool, use the following command and enter the keystore's password.
Soon after you run the command, you will be requested to enter relevant CSR details, including Common Name, Organization Name, Organizational Unit, Locality, State, Country, and Email Address. You can also enter a password for your key pair at the end.
To send the generated CSR details to the CA:
Access the newly created CSR. You can find it in your working directory. Copy the entire content to a separate file. If your certificate authority does not allow you to upload a file, you can copy & paste the CSR details manually.
Verify the details before sending them to your CA. Many CAs also offer CSR decoders to troubleshoot error messages that appear during CSR generation.
While manually creating a CSR request can seem intuitive, it isn't scalable when you manage multiple devices in your organization. In such cases, it might be helpful to use machine identity management software that automates the certificate signing request process. For example, a solution like ManageEngine's Key Manager Plus helps enterprises create new CSRs, import or export CSRs, set up CSR templates, order new certificates from popular CAs, and much more.
Managing CSRs is one part of certificate lifecycle management at your enterprise. From encrypting data for secure communication to validating user identities, certificates form an essential part of our online world. If you do not yet use certificate lifecycle management software, you should consider adopting one.