FAQs

FAQsCertificate Signing Request (CSR)

What is a CSR?

Updated on June 13, 2026

Overview

By the end of this article, you will understand what a Certificate Signing Request (CSR) is, the details it carries, how it pairs with your private key, and how it is formatted and verified. It covers the distinguished-name fields a CSR contains (such as Common Name and Organization), the key length and signature algorithm, the role of the private key and Public Key Infrastructure (PKI), the Privacy-Enhanced Mail (PEM) format used to encode a CSR, how to verify a CSR before submitting it, and the character rules for domain names. A CSR is the standardized request you send to a Certificate Authority (CA) to apply for an SSL/TLS certificate.

What is a CSR?

A CSR is a standardized request that sends the issuing Certificate Authority (CA) your public key, paired with a secret private key held on your server, along with information about the requester. Before a CA can issue your SSL certificate, you must create a CSR for the domain name or hostname on your web server.

What information does a CSR contain?

Field	Meaning	Example
Common Name (CN)	The Fully Qualified Domain Name (FQDN) of your server. It must match exactly what you type in the browser, or you may receive a security error.	www.example.com
Organization (O)	The legal name of your company, including the corporate identifier (Inc., Corp., or LLC). Do not abbreviate. For Domain Validation (DV) orders, you may use a personal name.	Example, Inc.
Organizational Unit (OU)	The division managing the certificate.	IT Department
Locality (L)	The city you are located in.	Mountain View
State or Province (ST)	The state or province you are located in.	California
Country (C)	The two-letter code for your country.	US
Email address	An email address associated with the company.	[email protected]

Key length and signature algorithm

Key length: the bit length of the key pair determines how hard the key is to break by brute force. A 2048-bit key is the current industry standard and provides strong security for the foreseeable future.

Signature algorithm: the hashing algorithm a Certificate Authority uses to sign certificates and Certificate Revocation Lists (CRLs). Sectigo recommends Secure Hash Algorithm 2 (SHA-2), the strongest signature algorithm widely adopted by the industry.

The private key

When you create a CSR, your web server also generates a private key. The private key is a unique cryptographic key tied to the matching CSR and must never be shared outside your secured server environment. It is used to decrypt data that was encrypted with the corresponding public key, and vice versa.

If the private key is lost or compromised, malicious users could read your encrypted communications and put your organization's reputation at risk — which defeats the purpose of Public Key Infrastructure (PKI). If this happens, create a new key pair and reissue your SSL certificate.

CSR format (PEM)

Most CSRs use the Base-64 encoded Privacy-Enhanced Mail (PEM) format. A PEM-encoded CSR begins with -----BEGIN CERTIFICATE REQUEST----- and ends with -----END CERTIFICATE REQUEST-----. A standard CSR looks like this:

-----BEGIN CERTIFICATE REQUEST-----
MIIDGDCCAgACAQAwgakxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
... (encoded request body) ...
-----END CERTIFICATE REQUEST-----

Verify a CSR before you submit it

To confirm the details inside a CSR (Common Name, Organization, and so on), decode it with the Sectigo CSR Decoder: https://secure.sectigo.com/utilities/decodeCSR.html. This tool is commonly used to troubleshoot errors during certificate generation.

For example, if you order a Wildcard SSL certificate but paste a CSR with the Common Name www.example.com, you will receive an error, because a wildcard requires an asterisk at the left-most subdomain level (*.example.com). The decoder lets you spot the mistake and create a new key pair.

Domain name character rules

Per Request for Comments (RFC) 1035, domain names may use only these characters, up to a maximum label length of 63: