ELI5: What is a CSR (Certificate Signing Request)?
A CSR is like filling out an application form for an ID badge. You write down your name and info, then hand it to the person who makes the badges so they can create one for you.
Definition
A Certificate Signing Request (CSR) is a message generated by an entity that wants to obtain a digital certificate. The CSR contains the entity’s public key and identity information (Common Name, organization, country, etc.) and is cryptographically signed by the entity’s private key to prove they possess it. The CSR is submitted to a Certificate Authority, which verifies the identity information and uses the CSR to create and sign the certificate.
Key Details
- The CSR does NOT contain the private key — the private key never leaves the requestor’s control
- Generated using tools like OpenSSL, Windows Certificate Manager, or web server utilities
- CA validates the information in the CSR before issuing the certificate
- Subject Alternative Names (SANs) in the CSR specify additional domain names for the certificate
- After the CA signs the CSR, the resulting certificate binds the public key to the verified identity
Connections
- Parent: certificates — the CSR is the mechanism for requesting a certificate from a CA
- See also: certificate-lifecycle