Home / Services
/ What is a Certificate Signing
Request (CSR)?
When we issue your certificate it will contain two critical
pieces of information about you. The first is the "Distinguished
Name", which is a set of values that describes your country,
state or province, city or town, organization, division within
that organization and your web server domain name. The second
is your "Public Key". For a more detailed overview
of these, please take a look at our FAQs.
If your organization is registered in the United States,
you will need to ensure that the state name included in the
CSR is written out in full. For example: California, Massachusetts
etc. Please do not make use of abbreviated state names, or
state codes. For a list of states please click here.
We get this information from a Certificate Signing Request
(CSR) that you paste into the first page of our on-line enrollment
process. Your web server software will contain all the necessary
code to generate public keys and the CSR - you just need to
specify what Distinguished Name attributes you want in the
certificate. Instructions to generate the CSR specific to
the servers we support, can be found here.
We accept two kinds of Certificate Signing Requests (CSR's).
The first kind, and by far the most popular form, looks like
this:
-----BEGIN CERTIFICATE REQUEST-----
MIIBujCCASMCAQAwejELMAkGA1UEBhMCQ0ExEzARBgNVBAgTClRFc3QgU3RhdGUx
ETAPBgNVBAcTCENvbG9yYWR0MRswGQYDVQQKExJDYW5hZGlhbiBUZXN0IE9yZy4x
EjAQBgNVBAsTCU9VIE9mZmljZTESMBAGA1UEAxMJd3d3LmV4LmNhMIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQD5PIij2FNa+Zfk1OHtptspcSBkfkfZ3jFxYA6y
po3+YbQhO3PLTvNfQj9mhb0xWyvoNvL8Gnp1GUPgiw9GvRao603yHebgc2bioAKo
TkWTmW+C8+Ka42wMVrgcW32rNYmDnDWOSBWWR1L1j1YkQBK1nQnQzV3U/h0mr+AS
E/nV7wIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAAAhxY1dcw6P8cDEDG4UiwB0D
OoQnFb3WYVl7d4+6lfOtKfuL/Ep0blLWXQoVpOICF3gfAF6wcAbeg5MtiWwTwvXR
tJ2jszsZbpOuIt0WU1+cCYivxuTi18CQNQrsrD4s2ZJytkzDTAcz1Nmiuh93eqYw
+kydUyRYlOMEIomNFIQ=
-----END CERTIFICATE REQUEST-----
In technical terms, this is a BASE64 encoded DER PKCS#10
Certificate Signing Request. Most modern web server software
will generate a CSR in this format: ApacheSSL, Stronghold,
Netscape's newer servers, Microsoft IIS and Zeus all comply
with this specification.
The second form of CSR we accept is based on the Privacy
Enhanced Mail (PEM) specification. WebSite Professional 1.1x,
4D WebSTAR Server Suite/SSL, Lotus Domino 4 and some other
older servers generate these CSR's, which look like this:
-----BEGIN PRIVACY-ENHANCED MESSAGE-----
Proc-Type:4,MIC-ONLY
Content-Domain:RFC822
Originator-Certificate:
MIIB6DCCAZICAQAwDQYJKoZIhvcNAQECBQAwfzELMAkGA1UEBhMCRlIxETAPBgNV
BAgTCE1vcmJpaGFuMQ8wDQYDVQQHEwZWYW5uZXMxEzARBgNVBAoTCmN5YmVyb3Vl
c3QxGDAWBgNVBAsTD3RlY2huaWNhbCBzdGFmZjEdMBsGA1UEAxMUc2VjdXJlLmN5
YmVyb3Vlc3QuZnIwHhcNOTcwMTI4MTI1NzQ2WhcNOTgwMTI3MTI1OTI2WjB/MQsw
CQYDVQQGEwJGUjERMA8GA1UECBMITW9yYmloYW4xDzANBgNVBAcTBlZhbm5lczET
MBEGA1UEChMKY3liZXJvdWVzdDEYMBYGA1UECxMPdGVjaG5pY2FsIHN0YWZmMR0w
GwYDVQQDExRzZWN1cmUuY3liZXJvdWVzdC5mcjBcMA0GCSqGSIb3DQEBAQUAA0sA
MEgCQQC2Coa23fXNjODNfe/R+CzBCgMi7N2W/8EHhgnElZlHQxJXtPdzCgtYQFIP
OKHn+7f8eBd+HX+MVi9pR+ITTyB7AgMBAAEwDQYJKoZIhvcNAQECBQADQQATSHCc
dzfF3jjfjDm8aX4Uml2qkvnViLxk2FVnValupVh40kiIGwhhfKBY5xWQondV+zVR
XZyINY8sx8AFOcQh
MIC-Info: RSA-MD5,RSA,
J1pln0dwsjb6RI0zx+Kaia7f3eJL2RF6+paIwq4ap0jr4lt+RRILO2t5/jSRBPAI
e1B7MJ+gJ7RiYqekU3My5g==
V2ViU2l0ZSBQcm8NCg==
-----END PRIVACY-ENHANCED MESSAGE-----
In technical terms, this consists of an arbitrary PEM message
with a self-signed certificate request wrapped up in one of
the PEM headers ("Originator-Certificate"). We can
get the Public Key and Distinguished Name from that self-signed
certificate. Note: If your server generates this kind of CSR
you should choose the "PEM Message Header" or "WebSite
Professional" style of certificate when you actually
download the certificate after it has been issued.
|
