All SSL articles SSL & Certificates

What is a CSR (Certificate Signing Request)?

2026-05-07
csrcertificatepublic-keyopenssl

A CSR (Certificate Signing Request) is a block of encoded data that you send to a Certificate Authority (CA) to apply for an SSL certificate. It contains your public key and domain information. The CA uses this to create your certificate.

What’s inside a CSR

FieldExampleRequired?
Common Name (CN)example.comYes
Public KeyYour RSA or ECDSA public keyYes
Key AlgorithmECDSA P-256 or RSA 2048Yes
OrganizationYour Company LLCOptional for DV
CountryUSOptional for DV
SANswww.example.com, api.example.comFor multi-domain

For DV certificates (like Let’s Encrypt), only the domain name(s) and public key matter. The organizational fields are ignored.

How CSR generation works

  1. Generate a key pair — a private key and public key
  2. Build the CSR — encode the public key + domain info into a standardized format (PKCS#10)
  3. Sign the CSR — sign it with the private key (proves you have the matching private key)
  4. Send to the CA — the CA verifies your domain ownership, then uses the CSR to create your certificate

The private key never leaves your system. The CSR contains only the public key.

GetHTTPS handles CSR automatically

With traditional tools, you’d manually generate a CSR with OpenSSL:

# The manual way (not needed with GetHTTPS)
openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:P-256 \
  -keyout privkey.pem -out csr.pem -nodes \
  -subj "/CN=example.com"

With GetHTTPS, you never see or touch the CSR. The tool:

  1. Generates the key pair in your browser (Web Crypto API)
  2. Builds the CSR automatically from your domain input
  3. Sends it to Let’s Encrypt as part of the ACME flow
  4. Gives you the signed certificate to download

The CSR is an internal step — you just enter your domain and get a certificate.

Generating a CSR manually (when needed)

If you need a standalone CSR (for a commercial CA, or a platform that requires you to upload one), here’s how:

openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:P-256 \
  -keyout privkey.pem -out csr.pem -nodes \
  -subj "/CN=example.com"

RSA 2048

openssl req -new -newkey rsa:2048 \
  -keyout privkey.pem -out csr.pem -nodes \
  -subj "/CN=example.com"

With multiple domains (SAN)

openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:P-256 \
  -keyout privkey.pem -out csr.pem -nodes \
  -subj "/CN=example.com" \
  -addext "subjectAltName=DNS:example.com,DNS:www.example.com"

Verify a CSR

openssl req -in csr.pem -noout -text

This shows the domain name(s), key algorithm, and key size embedded in the CSR.

CSR in the ACME protocol

In the ACME protocol (used by Let’s Encrypt), the CSR is sent during the finalize step — after domain validation passes. The CA uses the public key from the CSR to build your certificate. The CSR format is PKCS#10, encoded as base64url in the ACME JSON message.

With GetHTTPS, this entire process happens in JavaScript using the Web Crypto API and pkijs library. You never see the raw CSR bytes.

Frequently asked questions

Do I need to keep the CSR file?

No. The CSR is only used during the certificate request. After the CA issues your certificate, the CSR serves no purpose. Keep your private key and certificate — you can discard the CSR.

Can I reuse a CSR for renewal?

Technically yes, but it’s better to generate a new key pair and CSR for each renewal. This follows the principle of key rotation and limits exposure if a key is compromised.

What’s the difference between a CSR and a certificate?

A CSR is a request — it contains your public key and asks the CA to sign it. A certificate is the result — it’s the CA’s signed statement that your public key belongs to your domain. The CSR is input; the certificate is output.

Can I generate a CSR for a wildcard domain?

Yes. Use *.example.com as the Common Name:

openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:P-256 \
  -keyout privkey.pem -out csr.pem -nodes \
  -subj "/CN=*.example.com"

With GetHTTPS, you don’t need to generate a CSR manually — enter *.example.com as the domain and GetHTTPS handles the CSR automatically.

What does “key usage” in a CSR mean?

Key usage extensions specify what the certificate can be used for — typically “Digital Signature” and “Key Encipherment” for TLS certificates. GetHTTPS and most ACME clients set these correctly by default. You only need to worry about key usage if you’re generating CSRs manually for a commercial CA with specific requirements.

Related articles

SSL & Certificates 2026-05-07
ECC vs RSA Certificates: Which Should You Choose?
Compare ECC (ECDSA P-256) and RSA (2048/4096-bit) certificates. ECC keys are smaller and faster. Learn why GetHTTPS defaults to ECC and when RSA still makes sense.
Getting Started 2026-05-08
How to Get a Free SSL Certificate (Step-by-Step Guide)
Get a free SSL certificate from Let's Encrypt in 5 minutes — no software to install, no account to create. Complete guide covering 4 methods, both challenge types, installation on 6 platforms, and troubleshooting.
SSL & Certificates 2026-05-07
How SSL/TLS Works: The TLS Handshake Explained
A visual walkthrough of the TLS handshake — how your browser and a server establish an encrypted connection in milliseconds. Covers TLS 1.2, TLS 1.3, session resumption, and forward secrecy.
Get a free SSL certificate in your browser
No installation, no account. Your private key never leaves your device.
Get your certificate