How to create a Certificate Signing Request (CSR)

Article Number: 000070658

User-added image

Jump to How-to Guides

How-to Guides
Can I use a CSR with a 1024-bit key length?
What should I do if I get a "CSR cannot be decoded or is invalid" message?
What is a weak RSA key?


Before you send a request for an SSL certificate, you must create a Certificate Signing Request (CSR) on the server that you want to secure.

A CSR is an encrypted file that contains information about your company, including the domain name.

The CSR must include this information:

  • Country: Two-letter ISO 3166 country code. For example, the code for the Japan is "JP". For other countries, see the ISO list of country codes or here.
  • State or Province: Full name of the state or province where your company is headquartered, such as "California".
  • Locality or City: Full name of the locality or city where your company is headquartered, such as "Los Angeles".
  • Organization: Full legal name of your company.
  • Common Name:The website that you will protect with the SSL certificate.

Note: If a certificate request contains an IP address (such as, the certificate cannot be issued. The certificate request may contain a fully qualified domain name (, second-level domain (, or a wildcard domain (* All domain names must be publicly registered. Domains not publicly registered are considered internal server names (ISNs). Due to CA/Browser Forum requirements, the support for certificates that contain an ISN has been deprecated. Certificates containing an ISN are restricted to the OV level and must expire before November 1, 2015. In addition, certificates containing an ISN must be manually vetted, which may delay their issuance.

Note: Do not use blank fields in your CSR. If you do not wish a field to be in your certificate, simply do not include this field in your CSR. AffirmTrust does not currently support the use of "Organizational Unit" fields in CSRs. If you include an Organizational Unit field, it will be ignored.

How-to Guides

The process used to create a CSR depends on the server that you are securing.

For Microsoft servers, please see our article: Creating a CSR for Microsoft.

For Apache servers, please see our article: Creating a CSR for Apache.

For other servers, download the following documentation: Creating a CSR for other servers.

  • C2Net Stronghold
  • Cisco Adaptive Security Appliance (ASA) 5500
  • Cobalt RaQ4/XTR
  • F5 BIG IP (version 9)
  • F5 BIG IP (pre-version 9)
  • F5 FirePass VPS
  • HSphere Web Server
  • IBM HTTP Server
  • Java-based web server (generic)
  • Lotus Domino 8.5
  • Mirapoint
  • Nginx
  • Oracle Wallet Manager
  • Oracle WebLogic Server 8 or 9
  • Plesk 10
  • Plesk 9
  • Plesk 8
  • SAP Web Application Server 6.10 or higher
  • Zeus Web ServerPremium

Can I use a CSR with a 1024-bit key length?

No. Recommendations from the National Institute of Standards and Technology (NIST) and mandatory requirements of the Microsoft Root Certificate Program state that certificates issued after January 1, 2011 should have a minimum key length of 2048 bits. To fully comply with these recommendations, all AffirmTrust certificates require a minimum key length of 2048 bits.

What should I do if I get a "CSR cannot be decoded or is invalid" message?

The CSR can contain any of the following fields, but those marked mandatory must be included in order for the CSR to be processed successfully. Take note that Microsoft Windows IIS will not allow you to include the email address in your CSR.

  • Organization (Mandatory)
  • Locality (City) (Mandatory)
  • State/Province (Mandatory)
  • Country (2 character code) (Mandatory)
  • Common Name (Mandatory)
  • Email Address

Another possibility is that the CSR contains illegal characters in one of the fields. The fields can only contain alpha-numeric characters, with the exception of the Common Name and Email Address fields, which can also include the ‘@' and ‘.’ characters.

Note: Ensure that your CSR begins and ends with 5 dashes, as shown below:



If you are renewing your SSL certificate, you must create a new CSR; you cannot simply use the previous CSR because a new pending request and private key must be generated on your web server for the process to work.

If you are renewing using IIS, you cannot use the ‘renew certificate’ option on IIS, but must instead create a new CSR.

What is a weak RSA key?

Between 2006 and 2008, the Debian OpenSSL library contained a bug that resulted in the generation of weak, predictable keys for SSL certificates and other uses. The bug also compromises other keys and passwords that are transmitted over an encrypted link that uses weak keys.

When you request an SSL certificate by pasting a CSR into the AffirmTrust console, the console checks whether the CSR contains a Debian weak key. If the CSR contains a weak key, you will need to upgrade to the new version of the OpenSSL package and create a new CSR.

If you have any questions or concerns please contact the AffirmTrust support department for further assistance: 

Support Hours of Operation: 
Sunday 8PM ET to Friday 8PM ET
[email protected]