Certificate Request

CSR (Certificate Signing Request) is the message that’s sent to the CA in order to get a digital certificate created. A CSR is often generated on the same server on which the certificate is to be installed. Before creating a CSR, the applicant must first generate a public-private key pair.

The public key is included in the CSR and is used by the CA to create the certificate while the private key (to be kept private again) is used to sign the information contained in the CSR. Apart from the public key, the CSR may have the following information on it:

InformationDescriptionSample
Common Name (CN)This is the fully qualified domain name (FQDN) of the device to be secured.www.example.com
*.example.com
mail.exapmle.com
Business Name/Organization (O)The legal incorporated name of the organization. The name shouldn’t be abbreviated, and it should include suffixes like .Ltd, .Inc.AppViewX, Inc.
Department Name/Organizational Unit (OU)The department in your organization handling the certificate.IT, Finance
City/Locality (L)The city/town your organization is located in.New York City
Province, Region, County, or State (S)This should not be abbreviatedNew York
Country (C)The two-letter ISO code of your countryUS
Email Address (MAIL)The primary point of contact in your organization for certificate-related operations, usually the IT department 

A CSR is usually represented as a Base64 encoded PKCS(Public Key Cryptography Standard)#10. Here’s a sample of what a CSR looks like:

—–BEGIN CERTIFICATE REQUEST—–
MIICzDCCAbQCAQAwgYYxCzAJBgNVBAYTAkVOMQ0wCwYDVQQIDARub25lMQ0wCwYDVQQHDARub25lMRIwEAYDVQQKDAlXaWtpcGVkaWExDTALBgNVBAsMBG5vbmUxGDAWBgNVBAMMDyoud2lraXBlZGlhLm9yZzEcMBoGCSqGSIb3DQEJARYNbm9uZUBub25lLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMP/U8RlcCD6E8ALPT8LLUR9ygyygPCaSmIEC8zXGJung3ykElXFRz/Jc/bu0hxCxi2YDz5IjxBBOpB/kieG83HsSmZZtR+drZIQ6vOsr/ucvpnB9z4XzKuabNGZ5ZiTSQ9L7Mx8FzvUTq5y/ArIuM+FBeuno/IV8zvwAe/VRa8i0QjFXT9vBBp35aeatdnJ2ds50yKCsHHcjvtr9/8zPVqqmhl2XFS3Qdqlsprzbgksom67OobJGjaV+fNHNQ0o/rzP//Pl3i7vvaEG7Ff8tQhEwR9nJUR1T6Z7ln7S6cOr23YozgWVkEJ/dSr6LAopb+cZ88FzW5NszU6i57HhA7ECAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4IBAQBn8OCVOIx+n0AS6WbEmYDRSspR9xOCoOwYfamB+2Bpmt82R01zJ/kaqzUtZUjaGvQvAaz5lUwoMdaO0X7I5XflsllMFDaYoGD4Rru4s8gz2qG/QHWA8uPXzJVAj6X0olbIdLTEqTKsnBj4Zr1AJCNy/YcG4ouLJr140o26MhwBpoCRpPjAgdYMH60BYfnc4/DILxMVqR9xqK1s98d6Ob/+3wHFK+S7BRWrJQXcM8veAexXuk9lHQ+FgGfD0eSYGz0kyP26Qa2pLTwumjt+nBPlrfJxaLHwTQ/1988G0H35ED0f9Md5fzoKi5evU1wG5WRxdEUPyt3QUXxdQ69i0C+7
—–END CERTIFICATE REQUEST—–

What are the Steps Involved in Verification?

After the CSR is generated and sent to the CA, the CA conducts a verification process before issuing the certificate. The steps involved in verification depends on the type of certificate requested.

For Domain Validation (DV) certificates – if the domain name is the same as what’s listed as the Common Name on the CSR, the CA verify the domain ownership themselves (although this depends on the CA. Some may require additional form-fills or other checks). If not, the CA might mail a link to a list of email addresses on the domain (like administrator@, webmaster@, ) with a verification link, clicking on which will prove domain ownership. Further steps depend on the CA handling the request. These certificates typically take a few minutes to be issued.

For Organization Validation (OV) and Extended Validation (EV) certificates – these certificates entail more verification steps. Here, the CA verifies the physical existence and eligibility of the organization. This may involve visiting the organization in person, verifying the phone number and email address provided, etc., apart from domain control verification. These certificates typically take up to 3 days to be issued.