Key Manager Plus » Features
Last updated date : 20 Mar 2023

Why do businesses create certificate signing requests?

SSL/TLS certificates define how users interact with devices and websites in the modern world. Certificates also help establish secure means for internal communications. Without valid certificates, enterprises cannot facilitate a secure online experience for their customers or build user trust.

Businesses can obtain these certificates from CAs, organizations authorized to issue valid digital certificates. However, CAs require org-specific information to issue a certificate that reflects relevant details of the organization. This is why businesses create certificate signing requests.

A CSR initiated by an organization contains a variety of information, including the server's public key and the CA's name. Using this information, a CA will be able to create and issue a valid certificate.

Automate your certificate lifecycle management

What information does a certificate signing request contain?

Apart from the public key, a typical CSR contains the following information:

  • Common Name

    The Common Name is the fully qualified domain name of your organization. For example: manageengine.com

  • Organization Name

    The Organization Name will be the full, legal name of your organization. This must be inclusive of suffixes, if any. For example: Zoho Corporation. The organization name cannot contain the following characters: < > ~ ! @ # $ % ^ * / \ ( ) ? . , &

  • Locality

    The Locality field refers to the town, city, or village your organization belongs to. For example: Austin

  • State

    The State field refers to the state your organization belongs to. For example: Texas

  • Country

    The Country field refers to the two-digit country code of your organization. For example: US

  • Email Address

    The email address field requires the email address of the admin or the employee who will oversee the whole process. For example: admin@zylker.com

  • Fields
    Example
  • Common Name

    manageengine.com

  • Organization Name

    Zoho Corporation

  • Organizational Unit

    IT Department

  • Locality

    Austin

  • State

    Texas

  • Country

    US

  • Email Address

    admin@zylker.com

Prerequisites before creating a certificate signing request

Before creating a CSR for an X.509 certificate, you will have to generate a public-private key pair. The public key will be sent to the CA along with the CSR, while the private key must be kept a secret and used for signing the information in the CSR.

How to create a certificate signing request

You can create a CSR either manually or using certificate lifecycle management software.

Creating a certificate signing request manually

To create a CSR manually, you will have to:

01. Create an RSA private key pair

Log in to your server, then create an RSA private key with CSR using OpenSSL or keytool.

openssl
  • Command
    Function
  • openssl

    To invoke OpenSSL.

  • req

    Indicates the generation of a new CSR.

  • -new -newkey rsa:2048

    Generates a new 2048-bit RSA private key. Note: 4096-bit key pairs are more secure. If you wish to use them instead, replace 2048 with 4096.

  • -keyout domain_name.key

    Specifies the domain for which you're creating a new key. Replace domain_name with a name of your choice.

  • -out MYCSR.csr

    Specifies the name of the output file that stores your CSR. Replace MYCSR with a name of your choice.

keytool
  • Command
    Function
  • keytool

    To invoke Keytool.

  • genkey

    Generates a new key pair.

  • -alias ALIAS

    The name used to identify the key pair in the keystore. Replace ALIAS with a name of your choice.

  • -keyalg ALGORITHM

    Specifies the algorithm (RSA, DSA, EC) to be used to generate the key pair.

  • -keystore server.keystore

    Specifies the name of the keystore file that will store the key pair. Replace server.keystore with a file name of your choice.

  • -storetype TYPE

    Specifies the type of keystore that will be created. Replace TYPE with the keystore type of your choice (JKS, PKCS12, etc).

Note: You will require a user account with root privileges or the root credentials of the server. The server must also have OpenSSL or keytool installed. If you wish to use keytool, use the following command and enter the keystore's password.

 

02. Submit certificate signing request details

Soon after you run the command, you will be requested to enter relevant CSR details, including Common Name, Organization Name, Organizational Unit, Locality, State, Country, and Email Address. You can also enter a password for your key pair at the end.

Sending certificate signing request details to the certificate authority

To send the generated CSR details to the CA:

  • Access the newly created CSR. You can find it in your working directory. Copy the entire content to a separate file. If your certificate authority does not allow you to upload a file, you can copy & paste the CSR details manually.

  • Verify the details before sending them to your CA. Many CAs also offer CSR decoders to troubleshoot error messages that appear during CSR generation.

Creating certificate signing requests using tools

While manually creating a CSR request can seem intuitive, it isn't scalable when you manage multiple devices in your organization. In such cases, it might be helpful to use machine identity management software that automates the certificate signing request process. For example, a solution like ManageEngine's Key Manager Plus helps enterprises create new CSRs, import or export CSRs, set up CSR templates, order new certificates from popular CAs, and much more.

Automate your certificate lifecycle management

Managing CSRs is one part of certificate lifecycle management at your enterprise. From encrypting data for secure communication to validating user identities, certificates form an essential part of our online world. If you do not yet use certificate lifecycle management software, you should consider adopting one.

Copied!