To get an SSL Certificate for your domain or hostname, you’ll need to create a Certificate Signing Request (CSR). A CSR is a request for a Certificate Authority (CA) to issue your SSL Certificate. It includes your public key and information about your domain or hostname. Here’s a breakdown of the details you’ll need to provide in the CSR:
- Common Name (CN): This is the Fully Qualified Domain Name (FQDN) of your server. It should exactly match what you type in your web browser to avoid any security errors.
- Organization Name (O): The legal name of your company or organization. The name should not be abbreviated and should include the corporate identifier such as Inc., Corp, or LLC (if applicable). For DV orders, you can use your personal name.
- Organization Unit (OU): The unit or division of the company or organization that manages the certificate (e.g. IT Department).
- Locality (L): The city where you are located.
- State or Province Name (ST): The state or province where you are located.
- Country (C): The country where you are located.
- Email Address: An email address associated with the company.
- Root Length: The strength of the key pair is determined by the bit-length, which is the new industry standard of 2048-bit key size to ensure security for the future.
- Signature Algorithm: Hashing algorithms are used by issuing Certificate Authorities to sign certificates and CRLs (Certificate Revocation List) to generate unique hash values from files. It is recommended that your certificate be signed with SHA-2, the strongest signature algorithm adopted by the industry.
The Private Key
In addition to creating a CSR, the web server also exports a private key file related to the corresponding CSR. The private key is a unique cryptographic key used to decrypt sensitive data transmitted and encrypted with its corresponding public key. The private key should never be shared with anyone outside of the secured server environment. If it is lost or compromised, the encrypted communications could be read by malicious users and put your organization’s reputation at risk, which defeats the entire methodology behind the Public Key Infrastructure (PKI). We highly recommend creating a new key pair and replacing or reissuing your SSL Certificate if the private key is lost or compromised.
Example of CSR
Most CSRs are created in the Base-64 encoded PEM format and include the “—–BEGIN CERTIFICATE REQUEST—–“and “—–END CERTIFICATE REQUEST—–“ lines as the header and footer tags of the CSR. A standard PEM format CSR will look like the following example:
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----