Generating Certificate Signing Request (CSR)

Certificate Signing Request (CSR) is a text file containing encrypted information about a domain registrant and a public key.

A CSR may be generated when ordering an SSL certificate or on the web server.

Generating CSR in "Manage your account" section

In order to generate a CSR, enter your contact details in Latin characters at a relevant step of the order wizard when ordering an SSL certificate. At the next step, a CSR will be generated with a private key to be installed on the web server together with an SSL certificate.

Note: Please safely store your private key in a separate file that cannot be accessed by third parties. In case of losing the private key, a new certificate will have to be generated and issued.

Generating CSR on web server

The following fields are to be filled in with Latin characters during CSR generation on the web server:

  • Common Name: full domain name, e.g., www.nic.ru. If you generate a CSR for a wildcard certificate, the CN field should contain an entry in *.domain.com format. The asterix (*) allows using a certificate for any number of subdomains of the same level on the unlimited number of servers. This only applies to subdomains of the level containing the * symbol.
  • Country Name: two-letter country code, e.g., RU for Russia
  • State or Province Name: region, e.g., Moscow
  • Locality Name: city or town
  • Organization Name: name of a company or individual

CSR fill-in recommendations:

  • When ordering Thawte SSL123 or Geotrust Rapid Wildcard certificates, you may enter the details of the Registrant from the Whois service, or any other individual or entity, for which a certificate is issued, into the Organization Name field.
  • When ordering other certificates, you should enter the name of an entity, for which a certificate is issued, into the Organization Name field without quotation marks in Latin characters in accordance with a legal entity registration certificate.

Instructions:

Generating CSR on RU-CENTER hosting
Generating CSR for Apache

Generating CSR for Microsoft IIS

When creating a CSR for a Microsoft IIS web server, we recommend that you do it directly on the web server in order to avoid problems with installing an SSL certificate in future.

Instructions:

Generating CSR for Microsoft IIS 5.x/6.x
Generating CSR for Microsoft IIS 7.x

A CSR may also be generated with a private key on the server where the certificate is to be installed.

Note: If you use a shared infrastructure of physical servers for your website and a Microsoft IIS web server, when generating a CSR and a private key you should specify that your CSR and private key should be exportable, otherwise you will not be able to install the certificate on several servers and will have to reissue the certificate.

Checking domain ownership

For certificates validating domains (certificates with simplified validation), there are several ways to check domain ownership:

— Receiving a letter at an email address on the domain.

The letter will be sent to an address of one of the following types:

  • admin@[domain_name]
  • administrator@[domain_name]
  • hostmaster@[domain_name]
  • postmaster@[domain_name]
  • webmaster@[domain_name]

In addition, [domain_name] should correspond to the Common Name (CN) field in a CSR.

In case a certificate is ordered for a subdomain, it is allowed to use an email address on the second-level domain.

For example, the following email addresses can be used for ordering a certificate for www.test.ru:

  • admin@www.test.ru
  • admin@test.ru

— Placing an html-file into a website root directory.

A file name and its contents will be sent to the email address specified in the contract.

— Making a CNAME record.

Record contents will be sent to the email address specified in the contract.

CNAME record (Canonical Name) allows assigning mnemonic names to the host. Mnemonic names or aliases are widely spread for linking any function to the host, or just for shortening names.

CNAME record to be made in the DNS zone is written as:

dns_string CNAME sYYYYMMDDhhmmss. Domain
where dns_string represents a variable generated by the Certification Authority software
YYYY is a year when a certificate was ordered, for example, 2016
MM is a month when a certificate was ordered, for example, 04
DD is a day when a certificate was ordered, for example, 05
hh means hours
mm means minutes
ss means seconds

Предыдущая статья

Preparing data for validation

Следующая статья

Obtaining and Installation of SSL Certificate

Всё ещё остались вопросы?