What Is a CSR?
A Certificate Signing Request (CSR) is a block of encoded text that you send to a Certificate Authority (CA) to apply for an SSL/TLS certificate. It contains your public key and information about your organization and domain.
What's Inside a CSR
A CSR contains the following fields:
| Field | Abbreviation | Example |
|---|---|---|
| Common Name | CN | www.example.com |
| Organization | O | Example Inc. |
| Organizational Unit | OU | IT Department |
| City/Locality | L | San Francisco |
| State/Province | ST | California |
| Country | C | US (2-letter ISO code) |
| Public Key | - | RSA 2048-bit or ECDSA |
How SSL Certificate Issuance Works
- Generate key pair: You create a private key and CSR on your server
- Submit CSR: Send the CSR to a Certificate Authority (Let's Encrypt, DigiCert, etc.)
- Verification: The CA verifies you own the domain (DNS, HTTP, or email validation)
- Certificate issued: The CA signs your public key and returns the certificate
- Install: You install the certificate on your web server
Generating a CSR with OpenSSL
# Generate private key and CSR in one command
openssl req -new -newkey rsa:2048 -nodes \
-keyout server.key -out server.csr \
-subj "/C=US/ST=California/L=San Francisco/O=Example Inc/CN=www.example.com"
# View CSR contents
openssl req -in server.csr -noout -textCSR Format
A CSR is Base64-encoded and looks like this:
-----BEGIN CERTIFICATE REQUEST-----
MIICYDCCAUgCAQAwGzEZMBcGA1UEAwwQd3d3LmV4YW1wbGUuY29t
... (base64 encoded data) ...
-----END CERTIFICATE REQUEST-----Common Mistakes
- Losing the private key after generating the CSR (you'll need to regenerate both)
- Using a key size smaller than 2048 bits (most CAs reject these)
- Mismatching the domain name in the CSR with your actual domain
- Including a www prefix when you need a bare domain certificate (or vice versa)
Decode and verify any CSR instantly with the PureTools CSR Decoder. Paste your CSR to see all fields, key size, signature algorithm, and verify it's correctly formatted before submitting to a CA.