What is a CSR?
A Certificate Signing Request (CSR) is a block of encoded text that you submit to a Certificate Authority (CA) when applying for an SSL/TLS certificate. The CSR contains your public key and information about your organization that will be included in the certificate.
What a CSR Contains
| Field | Abbreviation | Example |
|---|---|---|
| Common Name | CN | example.com or *.example.com |
| Organization | O | My Company Ltd |
| Organizational Unit | OU | IT Department |
| City/Locality | L | Bangkok |
| State/Province | ST | Bangkok |
| Country | C | TH |
| E | [email protected] | |
| Public Key | — | RSA 2048-bit or EC key |
The CSR Process
- Generate a private key and CSR (key never leaves your server)
- Submit the CSR to a Certificate Authority
- CA validates your domain ownership (and organization for OV/EV certs)
- CA signs and returns the SSL certificate
- Install certificate + private key on your web server
Generate a CSR with OpenSSL
# Generate key and CSR together
openssl req -new -newkey rsa:2048 -nodes \
-keyout private.key \
-out server.csr \
-subj "/CN=example.com/O=My Company/C=TH"
# View the CSR contents
openssl req -in server.csr -text -noout💡 The Common Name (CN) must exactly match the domain you want to secure. For wildcard certificates use *.example.com to secure all subdomains. For multi-domain certs, the additional domains go in Subject Alternative Names (SANs), not the CN.
Free SSL Certificates
Let's Encrypt provides free, auto-renewing SSL certificates trusted by all major browsers. Use Certbot to automate the process — it generates the CSR, validates your domain, and installs the certificate automatically.
# Install Certbot and get a certificate for Nginx
certbot --nginx -d example.com -d www.example.com