Create CSR (Certificate Signing Request)
Generate Certificate Signing Requests (CSR) to purchase or renew SSL/TLS certificates from Certificate Authorities.
What is a CSR?
Certificate Signing Request (CSR) is a block of encoded text that contains:
✅ Your Information - Domain, organization, location
✅ Public Key - Will be included in certificate
✅ Signature - Proves you own the private key
Purpose:
- Submit to Certificate Authority (CA)
- CA verifies your information
- CA issues signed certificate
- You install certificate on server
Think of it as:
- CSR = Application form for SSL certificate
- Private Key = Your secret key (keep safe!)
- Certificate = Approved document from CA
Accessing Create CSR
From Keychain Tab
1. Open Keychain tab
2. Click dropdown arrow next to "Generate" button
3. Select "Create CSR"
CSR Generation Interface
┌────────────────────────────────────────────────────┐
│ Create Certificate Signing Request [×] │
├────────────────────────────────────────────────────┤
│ Certificate Information: │
│ │
│ Common Name (CN): * │
│ ┌────────────────────────────────────────────┐ │
│ │ example.com │ │
│ └────────────────────────────────────────────┘ │
│ │
│ Organization (O): │
│ ┌────────────────────────────────────────────┐ │
│ │ Example Corporation │ │
│ └────────────────────────────────────────────┘ │
│ │
│ Organizational Unit (OU): │
│ ┌────────────────────────────────────────────┐ │
│ │ IT Department │ │
│ └────────────────────────────────────────────┘ │
│ │
│ City/Locality (L): │
│ ┌────────────────────────────────────────────┐ │
│ │ San Francisco │ │
│ └────────────────────────────────────────────┘ │
│ │
│ State/Province (ST): │
│ ┌────────────────────────────────────────────┐ │
│ │ California │ │
│ └────────────────────────────────────────────┘ │
│ │
│ Country (C): * │
│ ┌────────────────────────────────────────────┐ │
│ │ US │ │
│ └────────────────────────────────────────────┘ │
│ │
│ Email: │
│ ┌────────────────────────────────────────────┐ │
│ │ admin@example.com │ │
│ └────────────────────────────────────────────┘ │
│ │
│ [Generate CSR] │
└────────────────────────────────────────────────────┘
* Required fields
How to Generate CSR
Step 1: Fill Certificate Details
Common Name (CN) - Required:
Enter your domain name:
✓ example.com
✓ www.example.com
✓ subdomain.example.com
For wildcard certificate:
✓ *.example.com
Wrong:
✗ https://example.com (no protocol)
✗ example.com/page (no path)
Organization (O):
Your company name:
Example Corporation
ABC Company Inc.
John Doe (for personal)
Organizational Unit (OU):
Department or division:
IT Department
Web Services
Engineering Team
City/Locality (L):
City name:
San Francisco
New York
London
State/Province (ST):
State or province:
California
New York
England
Country (C) - Required:
Two-letter country code (ISO 3166):
US (United States)
GB (United Kingdom)
CA (Canada)
DE (Germany)
Email:
Contact email:
admin@example.com
webmaster@example.com
ssl@example.com
Step 2: Add Subject Alternative Names (Optional)
Multiple domains on one certificate:
Subject Alternative Names (SAN):
[+ Add Domain]
Domains:
1. example.com
2. www.example.com
3. api.example.com
4. cdn.example.com
[×] Remove
When to use SANs:
- Multiple subdomains
- WWW and non-WWW versions
- Different domains (multi-domain cert)
- API endpoints
Example multi-domain:
Primary: example.com
SANs:
- www.example.com
- mail.example.com
- shop.example.com
Step 3: Generate CSR
Click "Generate CSR" button
The tool will:
- Validate your information
- Generate private key (RSA 2048-bit)
- Create CSR with your details
- Display results
Generation time: 1-2 seconds
Step 4: View Results
┌────────────────────────────────────────────────────┐
│ CSR Generated Successfully ✓ │
├────────────────────────────────────────────────────┤
│ │
│ Certificate Signing Request (CSR): │
│ ┌────────────────────────────────────────────┐ │
│ │ -----BEGIN CERTIFICATE REQUEST----- │ │
│ │ MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMx │ │
│ │ EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNV │ │
│ │ BAcMDVNhbiBGcmFuY2lzY28xFTATBgNVBAoM │ │
│ │ ... │ │
│ │ -----END CERTIFICATE REQUEST----- │ │
│ │ │ │
│ └────────────────────────────────────────────┘ │
│ [Copy CSR] [Download CSR] │
│ │
│ Private Key: │
│ ┌────────────────────────────────────────────┐ │
│ │ -----BEGIN PRIVATE KEY----- │ │
│ │ MIIEvwIBADANBgkqhkiG9w0BAQEFAASC... │ │
│ │ ... │ │
│ │ -----END PRIVATE KEY----- │ │
│ └────────────────────────────────────────────┘ │
│ [Copy Private Key] [Download Private Key] │
│ │
│ ⚠ IMPORTANT: Save private key securely! │
│ You'll need it when installing the certificate │
│ │
│ Certificate Info: │
│ • Subject: CN=example.com, O=Example Corp, ... │
│ • Key Type: RSA │
│ • Key Size: 2048 bits │
│ • Signature: SHA256withRSA │
│ • Fingerprint: AB:CD:EF:... │
│ │
│ [Download Both] [Close] │
└────────────────────────────────────────────────────┘
Step 5: Save CSR and Private Key
⚠ Critical: Save both files!
Save CSR:
- File: example.com.csr
- Purpose: Submit to CA
- Safe to share: Yes
- Keep: Until cert issued
Save Private Key:
- File: example.com.key
- Purpose: Install with certificate
- Safe to share: NO! Keep secret!
- Keep: Forever (while cert is used)
Recommended storage:
Organization:
/certificates/
├── example.com/
│ ├── example.com.csr
│ ├── example.com.key (encrypted!)
│ ├── example.com.crt (after issued)
│ └── notes.txt
CSR Information
CSR Format (PEM)
-----BEGIN CERTIFICATE REQUEST-----
MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx
FjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xFTATBgNVBAoMDEV4YW1wbGUgQ29ycDEW
MBQGA1UECwwNSVQgRGVwYXJ0bWVudDEMMAoGA1UEAwwDZXhhbXBsZS5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7VJTUt9Us8cKjMzEfYyjiWA4R
...
-----END CERTIFICATE REQUEST-----
Contains:
- Your certificate details
- Public key
- Digital signature
- Subject Alternative Names (if added)
Safe to share: Yes (no private key)
Private Key Format (PEM)
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC7VJTUt9Us8cKj
MzEfYyjiWA4R4EM812U84L3CsZqdOYckRlcxC/1vTf8eKiM0WcEsaqVsEUk9t7z+
IvwsEqHdmD3d0K9c6v8FN1sM8eVLNw3lXLZiYjgIVxvfzSDAqnO7Cy7vCKPcMAOO
...
-----END PRIVATE KEY-----
Contains:
- Private key (secret!)
- Matches public key in CSR
⚠ Never share: Keep absolutely secret!
Key Information
Key Details:
├─ Algorithm: RSA
├─ Key Size: 2048 bits
├─ Format: PKCS#8 (PEM encoded)
├─ Encryption: None (plain text)
└─ Fingerprint: AB:CD:EF:01:...
Security:
⚠ Private key NOT encrypted
⚠ Store in secure location
⚠ Set file permissions: 600
⚠ Never commit to git
Submitting CSR to Certificate Authority
Step 1: Choose Certificate Authority
Free CAs:
Let's Encrypt:
- Cost: Free
- Validation: Automated (DV only)
- Validity: 90 days
- Renewal: Automated
- Best for: Most websites
ZeroSSL:
- Cost: Free
- Validation: Automated (DV)
- Validity: 90 days
- Similar to Let's Encrypt
Commercial CAs:
DigiCert:
- Cost: $200-$500/year
- Types: DV, OV, EV
- Support: 24/7
- Warranty: Yes
Sectigo (Comodo):
- Cost: $50-$300/year
- Types: DV, OV
- Support: Business hours
- Good value
GlobalSign:
- Cost: $250-$1000/year
- Types: DV, OV, EV
- Support: 24/7
- Enterprise focus
Step 2: Submit CSR
Typical process:
1. Go to CA website
2. Choose certificate type (DV/OV/EV)
3. Start certificate request
4. Paste your CSR
5. Choose validation method:
- Email validation
- DNS validation
- HTTP file validation
6. Complete payment (if commercial)
7. Complete validation
8. Receive certificate
Validation methods:
Email Validation:
CA sends email to:
- admin@example.com
- administrator@example.com
- webmaster@example.com
- hostmaster@example.com
Click link to verify ownership
DNS Validation:
Add TXT record to DNS:
Name: _dnsauth.example.com
Value: abc123...
CA checks DNS record
HTTP File Validation:
Upload file to:
http://example.com/.well-known/pki-validation/file.txt
CA requests file to verify
Step 3: Receive Certificate
What you'll get:
From CA:
├─ Your Certificate (example.com.crt)
├─ Intermediate Certificate(s) (intermediate.crt)
└─ Root Certificate (root.crt) [optional]
You already have:
└─ Private Key (example.com.key)
Files for installation:
Required on server:
✓ Your certificate (.crt)
✓ Private key (.key)
✓ Intermediate certificate(s) (.crt)
Step 4: Install Certificate
Combine certificates (some servers):
# Create certificate bundle
cat example.com.crt intermediate.crt > example.com-bundle.crt
Nginx configuration:
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /path/to/example.com-bundle.crt;
ssl_certificate_key /path/to/example.com.key;
}
Apache configuration:
<VirtualHost *:443>
ServerName example.com
SSLEngine on
SSLCertificateFile /path/to/example.com.crt
SSLCertificateKeyFile /path/to/example.com.key
SSLCertificateChainFile /path/to/intermediate.crt
</VirtualHost>
Step 5: Verify Installation
Test certificate:
1. Use SSL Certificate Checker tool
2. Visit https://example.com in browser
3. Check for padlock icon
4. Verify no warnings
5. Check expiration date
6. Confirm all domains work (SANs)
Common Use Cases
1. New Website SSL Certificate
First-time setup:
1. Generate CSR with domain name
2. Submit to CA (Let's Encrypt or commercial)
3. Complete validation
4. Receive certificate
5. Install on web server
6. Configure HTTPS redirect
7. Test thoroughly
2. Renew Expiring Certificate
Before expiration:
30 days before expiry:
1. Generate new CSR (same details)
2. Submit to same CA
3. Fast validation (CA remembers you)
4. Receive new certificate
5. Install new certificate
6. Verify working
7. Remove old certificate
3. Wildcard Certificate
For multiple subdomains:
Common Name: *.example.com
Covers:
✓ www.example.com
✓ api.example.com
✓ mail.example.com
✓ anything.example.com
Does NOT cover:
✗ example.com (root domain)
✗ sub.api.example.com (nested)
Solution: Add SANs:
- *.example.com
- example.com
4. Multi-Domain Certificate
One cert, multiple domains:
Common Name: example.com
SANs:
- example.com
- www.example.com
- example.net
- example.org
- shop.example.com
All protected by one certificate
5. Internal/Development Certificate
For testing:
1. Generate CSR
2. Self-sign instead of CA:
openssl x509 -req -days 365 \
-in example.csr \
-signkey example.key \
-out example.crt
3. Install on test server
4. Import root cert in browsers
5. Test HTTPS
⚠ Not for production!
Best Practices
1. Protect Private Key
Security measures:
⚠ Never share private key
⚠ Never commit to git/version control
⚠ Don't email or send via chat
⚠ Don't store in plain text on server
Do:
✓ Encrypt file (gpg, 7zip, etc.)
✓ Set permissions: chmod 600
✓ Store in password manager
✓ Keep offline backup
✓ Use separate key per certificate
2. Document Everything
Keep records:
For each certificate:
- Domain(s)
- Generated date
- CA used
- Order number
- Validation method
- Expiration date
- Renewal reminder date
- Cost
- CSR file location
- Private key location (encrypted!)
3. Set Renewal Reminders
Don't let certificates expire:
Set reminders:
□ 60 days before expiration
□ 30 days before (start renewal)
□ 15 days before (urgent)
□ 7 days before (critical)
Calendar events
Email reminders
Monitoring tools
4. Keep CSR for Records
Save CSR file:
Why keep CSR:
- Renewal reference
- Verify what was requested
- Reissue if certificate lost
- Documentation
- Audit trail
Where:
- With certificate files
- Password manager notes
- Documentation system
5. Test Before Expiration
Renewal testing:
Week before switching:
1. Generate CSR
2. Get certificate
3. Install on test/staging
4. Verify works
5. Then install on production
6. Have rollback plan
Troubleshooting
CSR Validation Errors
Error: "CSR format invalid"
Solutions:
1. Re-generate CSR
2. Copy complete text (including BEGIN/END)
3. No extra spaces/line breaks
4. Use plain text editor
5. Verify not corrupted
Wrong Information in CSR
Issue: Made mistake in details
Solution:
Start over:
1. Generate new CSR with correct info
2. Delete old CSR
3. Submit new CSR to CA
4. CA will use new information
Lost Private Key
⚠ Critical Issue: Cannot use certificate without private key
If lost before getting certificate:
1. Generate new CSR (creates new key)
2. Submit new CSR to CA
3. Old CSR now useless
If lost after getting certificate:
1. Certificate unusable
2. Must revoke certificate
3. Generate new CSR
4. Request reissue from CA (may cost money)
5. Install new certificate
Prevention:
✓ Backup immediately after generation
✓ Store encrypted
✓ Document location
✓ Test backup restoration
CA Rejects CSR
Error: "CSR does not meet requirements"
Common causes:
- Key size too small (<2048 bits)
- Invalid domain name format
- Missing required fields
- Special characters in fields
- Country code invalid
Fix:
1. Check CA requirements
2. Regenerate with correct info
3. Resubmit
Next Steps
- 🔒 SSL Certificate Checker - Verify certificates after installation
- 📄 Certificate Reader - Inspect received certificates
- 🔑 SSH Keys - Manage SSH keys
- 🔙 Keychain Overview - All Keychain features
Pro Tip: Generate CSR 30 days before certificate expiration. This gives you time to complete validation, receive the certificate, and install it before the old one expires!