A Certificate Signing Request (CSR) is a pivotal step in securing a TLS/SSL certificate from a Certificate Authority (CA). It's an encoded file, often generated on the server where the certificate will be used. This file includes vital details like the organization's name, domain, locality, and country. Crucially, it contains a public key for the certificate and is authenticated with a private key. The CSR begins the process of obtaining a digital certificate, a key measure in verifying and safeguarding the security and authenticity of your website or server.
Generating an SSL/TLS certificate via a certificate signing request
An SSL/TLS certificate plays a pivotal role in enhancing the security of your website traffic by encrypting data transmitted to and from your site using a distinct code. To obtain an SSL certificate, you need to initiate a Certificate Signing Request (CSR) process.
- Generate a pair of private and public keys, which can be accomplished through various tools like OpenSSL.
- Use the private key to create a certificate signing request, resulting in the generation of a CSR file that needs to be submitted to a Certificate Authority (CA).
Behind-the-scenes details for certificate signing requests (CSRs)
For those who use the Public Key Cryptography Standards 10 (PKCS10) Certification Request Standard, one of the most common standards for certificate signing requests, users must provide an unsigned copy of their digital certificate to the CA. They can initiate this process by generating a CSR using cPanel, Exchange, IIS, Java Keytool, or OpenSSL. These methods generally create CSRs in the Base-64 based PEM format, which means there is a X.509 certificate encoded in text using the Base-64 encoding scheme.
At the time of creation, most server software suites ask the user to provide several pieces of information for validation purposes. Those details include the requester's fully qualified domain name (FQDN), legal name of the company, contact email address, physical address, and name of the division that would be handling the certificate. Additionally, users will need to send over their public key as well as its type and length. As explained by GlobalSign, the CA needs these bits of data to create an SSL certificate, which uses asymmetric cryptography based on a corresponding private and public key pair.
What information is included in a certificate signing request?
A certificate signing request comprises a comprehensive array of information, with the key elements being business details, allowing the CA to authenticate your identity and company. The CSR should encompass pertinent information about your business, the public key, as well as details regarding the key type and length. Your CA will use the data from the CSR to build your TLS certificate. Here is the type of information that you should expect to include in your CSR.
- Common name: The fully qualified domain name (FQDN) of your server (i.e., .example.com).
NOTE: You will receive a mismatch error if the common name does not match exactly the name that you type in your web browser.
- Organization:The legal name of your organization. But be sure to include suffixes, such as Inc., Corp., or LLC. (if applicable).
NOTE: You should not abbreviate any part of the legal name.
- Organization Unit:The unit or division of the company/organization managing the certificate (i.e., IT Department).
- Locality:The city where your organization is located.
NOTE: This should not be abbreviated.
- State/Province/Region:The state/province/region where your organization is located.
NOTE: This should not be abbreviated.
- Country:The two-letter code for the country where your organization is located.
- Email address:An email address used to contact your organization.
- Public key:The public key that will be included in the certificate.
NOTE: The public key is created automatically and is used to encrypt, while the corresponding private key is used to decrypt.
- Key length and type:The bit-length of the key pair which determines the strength of the key and how easily it can be cracked using brute force methods.
NOTE: The most common key size is RSA 2048, but some CAs support larger key sizes such as RSA 4096.
- Signature algorithm:The hashing algorithm used by your issuing CA to actually sign certificates to generate unique hash values from files.
What does a certificate signing request look like?
A CSR is commonly encoded in Base-64, which is a standard format used to depict binary data as ASCII text. The resulting Base-64 encoded CSR will appear as an extended sequence of seemingly random characters.
What Is Base-64?
Base-64 is a widely adopted encoding format designed for the representation of binary data in ASCII text. This format facilitates the transformation of binary data into a human-readable format that can be effortlessly transmitted over the internet. When generating a CSR, it is necessary to encode it using Base-64 to enable the CA to handle it.
What Is ASCII?
ASCII, which stands for American Standard Code for Information Interchange, serves as a standardized character encoding system employed in the digital realm. It assigns a distinct numeric value to each character in the alphabet.
Figure 1: Example of certificate signing request code
How do you create a CSR?
Generating a CSR involves several steps. Firstly, you'll need to generate a private key, which is essentially a confidential code used for encrypting information. It's crucial to safeguard this key as it plays an important role in decrypting traffic to your website.
Creating a private key
A public key is mathematically derived from the private key, and together, they form a "key pair." Private keys are employed to decrypt data encrypted by their corresponding public keys, while public keys are used to validate digital signatures created by their corresponding private keys.
Many web servers and runtime environments, such as Internet Information Services (IIS), come equipped with built-in CSR generation capabilities. Alternatively, you can generate a private key using the OpenSSL command-line tool, which produces a 2048-bit long private key file named example.com.key.
Generating a CSR
Once you've generated a private key, you can use it to craft a CSR file. This file contains the information mentioned earlier and is usually encoded in Base-64. You can also create the CSR file using the OpenSSL command-line tool.
It's important to note that SSL/TLS certificates have a validity period, typically ranging from one to several years. When the certificate expires, it must be renewed or replaced with a new one. The CSR plays a role in the renewal process.
Submission to a Certificate Authority (CA)
After generating a CSR, you must submit it to a Certificate Authority (CA). The CA leverages the data in the CSR request to generate an SSL/TLS certificate for your website. Different types of certificates, such as domain-validated (DV), organization-validated (OV), and extended validation (EV) certificates, offer varying levels of validation and trust.
Certificates can also be revoked if they are compromised or for other reasons, and it's important to keep track of certificate revocation. Intermediate certificates play a role in the certificate chain.
Installing the Certificate CSR
Once you've received your SSL/TLS certificate from the CA, you'll need to install it on your server. The installation procedure varies depending on your server type and the software in use. However, most servers follow a similar process for SSL/TLS certificate installation.
You'll start by copying the certificate files (the .crt and .key files) to your server. Subsequently, you'll configure the server to use the SSL/TLS certificate. The specific steps involved will depend on the server software you are using but generally involve adding the certificate files to a configuration file and restarting the server.
Additionally, it's crucial to securely store private keys, and best practices may include using hardware security modules (HSMs) or secure key management practices. Regularly monitoring certificate expirations and renewals is essential to maintain security, and backups of private keys and certificates should be performed to avoid data loss in case of server issues. The selection of a trusted Certificate Authority (CA) and choosing the right SSL/TLS certificate for your specific needs should also be carefully considered.
How to simplify a seemingly complex certificate signing request process
Clearly, organizations must complete multiple steps and track many different pieces of information to properly submit a CSR. To make this process easier, companies should consider generating key pairs and CSRs as well as managing and enforcing trust stores from a central location. Such an approach would simplify administration and ensure that all policies governing certificate content during the certificate request process are enforced automatically.
Venafi's solution makes CSR generation easier, as it enables organizations to create their requests from a central enrollment portal. The solution also has the ability to define default values, which decreases the time needed to complete a CSR. Lastly, companies can use the enrollment portal to integrate with any CA. This further simplifies the generation and storage of CSRs and key pairs.
(This post has been updated. It was originally published on August 21, 2018.)