A Certificate Signing Request or CSR is a data file that contains the information needed for a Certificate Authority or “CA” (a regulated company who issues SSL certificates) to create your specific SSL certificate. So a CSR is literally a request to have a certificate created and digitally signed by a CA and ensure there is a standardized method for providing the required information to the CA.
There are three important parts to a CSR:
- Your public key is used to encrypt the data sent to your server allowing users connecting to your site securely.
- The domain name(s) and subdomains you want your certificate to be used with.
- Other information about you and/or your organization/website (optional for Domain Validated (DV) certificates.)
Public and Private Keys
When you create a CSR you also create your encryption "key pair" at the same time. The public key is one-half of the key pair that is used with the SSL certificate to encrypt the data sent to your server. The public key is included in the CSR and the SSL certificate you receive.
The other half of the key pair is the private key. While this is also created at the same time as the public key with your CSR, it is not actually a part of the CSR. As the name suggests, it is to be kept private because it is used to decrypt the data that the public key encrypted. It also works with your certificate to prove the identity of your website so your visitors can be sure they are connecting with you and not an imposter.
If anyone were to have access to it, your security would be compromised. So the private key is a separate file, with a name often ending in .key, that you store with your private documents. You do not share it with your CA or anyone else. You will need the private key later in the process when you install your SSL certificate so your website can decrypt the incoming data.
Domains and subdomains
The fully-qualified domain name(s), or FQDNs, are the hostname(s) where you will use your certificate. The FQDN should consist of the subdomain and root domain, such as "example.com", “www.example.com” or “mail.example.co.uk” but do not include “http://”.
Some SSL certificates allow you to secure multiple FQDNs with one certificate – usually marketed as “multi-domain certificates.”
The final piece of the CSR is “subscriber information” – an email address, legally registered business name, and location. DV certificates don't require this information but including it can add greater credibility to your certificate. OV and EV certificates actually vet the data collected via 3rd party resources and/or documentation before issuing the certificate which is why they are the certificate types of choice for corporate and e-commerce use.
Those three pieces are wrapped up and encoded, usually in the “PEM” format. Here is an example of what a CSR looks like: