What Is a CSR and How to Create One? A Complete Step-by-Step Guide

Securing your website with HTTPS is no longer optional — it's a fundamental requirement for user trust, data protection, and search engine rankings. At the heart of every SSL/TLS certificate issuance lies a critical but often misunderstood component: the Certificate Signing Request (CSR). Whether you're a developer, system administrator, or website owner, understanding how to generate and submit a CSR correctly can save you hours of troubleshooting and ensure your site is properly secured.

In this comprehensive guide, we'll explain exactly what a CSR is, why it matters, and walk you through multiple methods to create one — including OpenSSL, cPanel, and IIS.

What Is a CSR (Certificate Signing Request)?

A Certificate Signing Request (CSR) is a block of Base64-encoded text that you generate on your server and submit to a Certificate Authority (CA) — such as Let's Encrypt, DigiCert, or Sectigo — when applying for an SSL certificate. The CA reads the information embedded in the CSR and uses it to issue a digitally signed certificate that enables HTTPS on your domain.

Think of a CSR as a formal application form: it tells the CA who you are, what domain you want to secure, and provides the cryptographic public key that will be embedded in the final certificate.

What Information Does a CSR Contain?

A standard CSR includes the following fields:

> Important: A CSR does not contain your private key. The private key is generated alongside the CSR but must always remain securely stored on your server and never shared with anyone — including the CA.

Why Is a CSR Important?

Understanding the role of a CSR helps clarify why every SSL certificate issuance begins with this step.

1. It Initiates the SSL Certificate Request

Without a CSR, a CA has no way to know which domain you want to secure, who owns it, or which public key to embed in the certificate. The CSR is the formal mechanism that starts the entire certificate issuance workflow.

2. It Establishes the Cryptographic Foundation

The CSR contains your public key, which is mathematically paired with your private key. Together, these keys form the asymmetric encryption backbone of SSL/TLS. When a browser connects to your server, it uses the public key (from the certificate) to encrypt data, and your server uses the private key to decrypt it — ensuring that no third party can intercept the communication.

3. It Enables Identity Validation

Depending on the type of SSL certificate you're requesting, the CA will perform different levels of identity verification using the information in your CSR:

• Domain Validation (DV): The CA verifies only that you control the domain. Fast and automated.
• Organization Validation (OV): The CA verifies your organization's legal existence in addition to domain control.
• Extended Validation (EV): The most rigorous check — the CA verifies legal identity, physical address, and operational status.

If you're running a business website or e-commerce platform, choosing the right validation level matters. You can explore AlexHost's range of SSL Certificates to find the option that best fits your security requirements.

How to Create a CSR: Step-by-Step Instructions

Creating a CSR involves two main steps: generating a private key and then using that key to produce the CSR file. Below, we cover the most common methods.

Method 1: Using OpenSSL (Linux, macOS, Windows)

OpenSSL is the most widely used and universally available tool for generating CSRs. It works on Linux servers, macOS, and Windows (with OpenSSL installed).

#### Step 1: Generate a Private Key

Open your terminal (or command prompt on Windows) and run the following command:

openssl genrsa -out private.key 2048

What this does:

genrsa — generates an RSA private key
-out private.key — saves the key to a file named private.key

> Security tip: Store private.key in a secure, access-restricted directory. Never upload it to a public location or share it via email.

#### Step 2: Generate the CSR

With your private key created, run the following command to generate the CSR:

openssl req -new -key private.key -out yourdomain.csr

OpenSSL will prompt you to fill in the CSR fields interactively:

Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: California
Locality Name (eg, city) []: San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Example Corp Ltd
Organizational Unit Name (eg, section) []: IT Department
Common Name (e.g. server FQDN or YOUR name) []: www.example.com
Email Address []: admin@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

> Pro tip: Leave the "challenge password" blank unless your CA specifically requires it. It adds complexity without meaningful security benefit in most modern workflows.

Once complete, your CSR is saved to yourdomain.csr. You can view its contents with:

openssl req -text -noout -verify -in yourdomain.csr

#### Step 3: Generate Both Key and CSR in a Single Command

For efficiency, you can combine Steps 1 and 2 into one command:

openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out yourdomain.csr

This generates the private key and CSR simultaneously, prompting you for the same field information.

#### Step 4: Submit the CSR to Your Certificate Authority

Open the yourdomain.csr file in a text editor and copy its entire contents — including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- lines. Paste this into your CA's submission form when purchasing or renewing your SSL certificate.

#### Step 5: Secure Your Private Key

After receiving and installing your SSL certificate, ensure private.key is:

• Stored with restricted file permissions (chmod 600 private.key on Linux)
• Backed up in a secure, encrypted location
• Never transmitted over insecure channels

If the private key is lost or compromised, you must generate a new key pair, create a new CSR, and request a certificate reissuance.

Method 2: Using cPanel (Shared Hosting & VPS)

If your hosting environment uses cPanel, you can generate a CSR directly through the graphical interface — no command-line experience required. This is ideal for users on Shared Web Hosting or a VPS with cPanel.

Steps:

1. Log in to your cPanel account.
2. Navigate to the Security section and click SSL/TLS.
3. Under Certificate Signing Requests (CSR), click "Generate, view, or delete SSL certificate signing requests."
4. Fill in the CSR form fields:

• Key Size: Select 2048 (recommended) or 4096 bits
• Domains: Enter your FQDN (e.g., www.example.com)
• City, State, Country: Your organization's location details
• Company & Division: Legal organization name and department
• Email: Contact email address

1. Click Generate.
2. cPanel will display your CSR. Copy the full text and submit it to your CA.

> cPanel also stores your private key automatically and associates it with the CSR, simplifying the later certificate installation step.

Method 3: Using IIS on Windows Server

For administrators managing websites on Windows Server with Internet Information Services (IIS), the IIS Manager provides a built-in CSR generation wizard.

Steps:

1. Open IIS Manager (inetmgr).
2. In the Connections panel on the left, select your server name (not a specific site).
3. In the center panel, double-click Server Certificates.
4. In the Actions panel on the right, click Create Certificate Request…
5. Fill in the Distinguished Name Properties:

• Common name, Organization, Organizational unit, City, State, Country

1. Click Next.
2. On the Cryptographic Service Provider Properties page:

• Cryptographic service provider: Microsoft RSA SChannel Cryptographic Provider
• Bit length: 2048 (minimum) or 4096

1. Click Next, choose a file path to save the CSR, and click Finish.
2. Open the saved .txt file, copy its contents, and submit to your CA.

> Note: IIS stores the pending private key internally. Do not delete the pending request from IIS Manager until after you've successfully installed the issued certificate.

CSR Generation: Quick Comparison of Methods

Common CSR Mistakes to Avoid

Even experienced administrators occasionally make errors when generating CSRs. Here are the most common pitfalls:

1. Using an incorrect Common Name: The CN must exactly match the domain you want to secure. For a wildcard certificate, use *.example.com. For a multi-domain (SAN) certificate, your CA's interface will handle additional domains separately.

1. Abbreviating the State/Province field: Always spell out the full name (e.g., "California," not "CA"). Some CAs will reject abbreviated entries.

1. Losing the private key: The CSR and private key are a matched pair. If you lose the private key before installing the certificate, you'll need to start over.

1. Using a key size below 2048 bits: Modern CAs and browsers require a minimum of 2048-bit RSA keys. Using anything smaller will result in rejection or browser warnings.

1. Reusing old CSRs: Always generate a fresh CSR for each new certificate request or renewal. Reusing CSRs can introduce security risks and may be rejected by some CAs.

After the CSR: Installing Your SSL Certificate

Once your CA validates your CSR and issues the certificate, you'll receive one or more .crt or .pem files. Installation steps vary by platform:

• Apache/Nginx on Linux: Configure the certificate file paths in your virtual host configuration
• cPanel: Use the SSL/TLS Manager to install the certificate against the matching private key
• IIS: Use "Complete Certificate Request" in IIS Manager to import the issued certificate
• Plesk / DirectAdmin: Use the built-in SSL certificate management interfaces

For users on VPS Hosting or Dedicated Servers, you have full root access to manage certificate installation directly via the command line or your preferred control panel.

Frequently Asked Questions About CSRs

Can I reuse a CSR for multiple certificates?

Technically yes, but it is strongly discouraged. Each certificate request should use a freshly generated CSR and key pair to maintain proper security hygiene.

How long is a CSR valid?

A CSR itself does not expire, but the certificate issued from it does (typically 1 year for modern SSL certificates). You should generate a new CSR each time you renew your certificate.

What's the difference between a CSR and a certificate?

A CSR is your *request* to obtain a certificate. The certificate is the *issued document* from the CA, signed with the CA's private key, that browsers trust.

Do I need a CSR for Let's Encrypt?

Let's Encrypt's ACME protocol (used by tools like Certbot) handles CSR generation automatically behind the scenes. However, you can also provide a custom CSR if needed.

Conclusion

A Certificate Signing Request (CSR) is the essential first step in obtaining an SSL/TLS certificate for your website. It packages your public key and organizational identity into a standardized format that Certificate Authorities use to issue trusted certificates — enabling HTTPS, encrypting user data, and building visitor trust.

Whether you're using OpenSSL on a Linux VPS, the cPanel graphical interface on a shared hosting plan, or IIS Manager on a Windows Server, the process follows the same fundamental principles: generate a secure private key, create the CSR with accurate information, submit it to your CA, and safeguard your private key throughout.

Ready to secure your website? Explore AlexHost's SSL Certificates for a range of options suited to every project size and budget — from basic domain validation to extended validation certificates for enterprise environments. Pair your SSL certificate with reliable VPS Hosting or Dedicated Servers to ensure your infrastructure is as robust as your security posture.