What is a CSR file and how to create it?
photo by Lewis Keegan
Introduction
Whenever you reach the point in which you need to publish your product on the Internet, you have to apply for a new domain. Some years ago, there were no mayor problem in serving your frontend via simple HTTP, although it was recommended to use HTTPS instead, for obvious security reasons but, since Google, in 2014, started to rank higher those sites using HTTPS, securing your product through an SSL [1] Certificate is almost mandatory.
Whatever the provider you choose to buy your domain from, they are going to ask for a Certificate Signing Request (CSR) [3] file.
A CSR is a block of encoded text that is required by Certificate Authorities (CA) when we are applying for an SSL [1] Certificate for our domain. The CSR file is a standardized way to send your public key as well as some information that identifies your company name, your location or your contact information. A private key is usually created at the same time that you created the CSR, making a key pair. The CA will use the CSR to generate your Digital Identity Certificate.
The certificate created with a particular CSR will only work with the private key that was generated with it. So if you lose the private key, the certificate will no longer work.
The CSR is usually encoded using ASN.1 according to the PKCS #10 specification.
What does a CSR contain?
This is the typical information contained within a CSR:
| Distinguish Name | Information | Description | Example |
|---|---|---|---|
| CN | Common Name | This is fully qualified domain name that you wish to secure | myproduct.com, *.product.com |
| O | Organization Name | Usually the legal name of a company or entity and should include any suffixes such as Ltd., Inc., S.A., etc. | The Company S.A. |
| OU | Organizational Unit | Internal organization department/division name | DevOps |
| L | Locality | Town, city, village, etc. name | Madrid, Alcobendas |
| ST | State | State, Province, region, county or state. | Madrid, Zaragoza |
| C | Country | The two-letter ISO code for the country where your organization is located | US, ES |
| Email Address | The organization contact, usually of the certificate administrator or IT department | user@mycompany.com |
How to generate a CSR?
The CSR is usually generated on the server (or any virtual infrastructure) where the new certificate will be installed, but it can be also generated locally in your computer with the appropriate tools.
It is quite easy to generate a CSR by using the OpenSSL [4] toolkit interactively:
openssl req -nodes -newkey rsa:4096 -keyout <certificate-name>.key -out <certificate-name>.csr
or directly setting the parameters on the command line:
openssl req -nodes
-newkey rsa:4096 -keyout <certificate-name>.key
-out <certificate-name>.csr
-subj "/emailAddress=<email>/CN=<CN> /ST=<state>/L=<location>/O=<organization>/OU=<organizationalUnit>/C=<country>"
The bit-length of a CSR and private key pair determine how easily the key can be cracked using brute force > methods. As of 2016, a key size of less than 2048 bits is considered weak and could potentially be broken in a few months or less with enough computing power. 4096 bits is recommended.
