Generating a Certificate Signing Request (CSR)

The CSR generation process creates a cryptographic pair consisting of a private key and a public certificate request. The private key must be protected throughout the certificate's lifetime, as its compromise would allow attackers to impersonate your server. The CSR contains your public key along with identifying information about your organization and domain. This information becomes part of your certificate, so accuracy is crucial.

For Apache or Nginx on Linux systems, OpenSSL provides the standard tool for CSR generation. The command openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr creates a 2048-bit RSA key pair. During generation, you'll provide information including country code, state or province, city, organization name, organizational unit, and common name (your domain). The common name must exactly match your domain - www.example.com is different from example.com.

Windows IIS servers use the IIS Manager interface for CSR generation. Navigate to Server Certificates in the IIS Manager, select "Create Certificate Request," and complete the wizard with your organizational information. IIS stores the private key securely in the Windows certificate store. Save the generated CSR text file for submission to your Certificate Authority. The matching of CSRs to private keys happens automatically within Windows, simplifying later installation.