A certificate signing request or CSR is the first step toward building an SSL/TLS certificate. It’s a chunk of encoded text that can be created automatically by the server you wish to have your SSL/TLS certificate installed on. It generates a unique public key that will be used by the browser to match with the private key that is concealed inside the server. This is what makes CSRs a necessary part of constructing an SSL/TLS certificate.

For something that is seemingly complex and nebulous to a layperson, CSRs are surprisingly easy to create. They should be generated on the same webserver where the certificate will be installed by following instructions specific to your server type. Our installation help pages list the steps to create a CSR and install certificates for the most popular server platforms.

Within the CSR there is an optional field for Subject Alternative Names (SANs). For a server certificate that requires one or more SAN names there are 2 different ways to specify the SANs: 1. SANs can be specified within the CSR or 2. SANs can be added manually at the time the certificate is generated on our website.

You may add identifiable information, but most public certification authorities (CAs) bypass the information provided in the CSR and apply only the verified information into the certificate.

CSR Field What is it Example
Common name (CN=) Fully qualified name of your server www.entrust.com
Organization (O=) Organization name Entrust Inc.
Organizational Unit (OU=) Department name (optional) IT
City/Locality (L=) City/Locality Shakopee
State/Province (S=) State/Province Minnesota
Country (C=) 2 Letter Country Code US
SAN(s) Subject Alternative Name(s)(optional) san1.entrustdatacard.com, san2.entrustdatacard.com,
san3.entrustdatacard.com, etc

After creating a CSR, use the CSR Viewer to make sure that it is valid.

Voila! Copy and paste the CSR where prompted during the purchase process or within your Entrust Datacard portal, if you have an account. You may also send it over to the us after you’ve purchased your SSL/TLS certificate from us, and your certificate will soon be ready to be deployed.

Additional CSR FAQs

Why do I need a Certificate Signing Request?

The Certificate Signing Request is required by Entrust Certificate Services to generate your digital certificate, and must be submitted to Entrust Certificate Services during the enrollment process. Entrust Certificate Services will issue a new certificate.

How do I generate a Certificate Signing Request?

Your Web Server Technical Manual should be the primary source of information. You may also consult the Server Support section on our web site for instructions on how to generate a CSR.

What guidelines should I use when generating a CSR?

  • Do not use special characters or shift characters in the challenge or revocation passphrase. These characters are unsupported. This includes the following: “.,;-@#$%^&!*)(-+=< / >?/:
  • Do not use special characters or shift characters in the Organization or Organization Unit level. These characters are unsupported. This includes the following: “.,;-@#$%^&!*)(-+=</ >?/:
  • Do not use a key bit length greater than 2048. Higher bit lengths are not supported.
  • CSR should be in Base64 (pem) encoded format. Some FTP and text editor programs might corrupt the format.
  • If you are using a Webmethods server, please do not enter a revocation passphrase. Please note that this passphrase is completely separate from the passphrase you entered online during the Entrust certificate enrollment.
  • If you are using IKEMAN on a Unix system, please do not use any punctuation characters or special characters when creating the CSR. This includes “.,;-@#$%^&!*)(-+=< / >?/:
  • Do not use the renewal feature in IIS 5 or 6 from the server certificate wizard, please use the instructions here Microsoft KB Article Q295281. Please note: if you are renewing a certificate from another CA, i.e. Verisign, please use the same KB Article.
  • Do not use a self-signed certificate. This is different from a certificate signing request (CSR) PKCS10 request.

A CSR should look similar to the following:


The Certificate Signing Request (CSR) begins with the line


Please be sure to include these lines when submitting your Certificate Signing Request (CSR) during the online enrollment process.

How do I proceed if I get an “Invalid CSR” message during the application or if the “Next” button does not work?

This error will occur when the Certificate Signing Request (CSR) is improperly formatted (i.e., spaces or carriage returns breaking the encoded data). For general CSR guidelines, please see question 4 or refer to our web server documentation. If your CSR is still rejected, you should generate a new CSR on your Web Server and retry the enrollment process. Our Support Team is available to help you.

How do I contact Entrust for additional assistance?

If you have additional questions, or need information, please contact Entrust Support by calling 866-267-9297 (1-613-270-2680 outside of North America), Monday through Friday 8:00 AM to 6:00 PM Eastern Time, or log a service request, or email us at [email protected].

Where do I get instructions to create a CSR?

Entrust has instructions and online tools to help you create a CSR on over 40 different webserver and device types. Please see our Installation Instructions page and locate the server type you are using in the list.

7-Part Blog Series

  1. SSL/TLS 101 — Why Do I Need an SSL/TLS Certificate
  2. SSL/TLS Certificate Types — Choosing the Right One for Your Use Case
  3. SSL/TLS Verification — Digital Identity for Your Website
  4. What is a SAN (Subject Alternative Name) and how is it Used?
  5. What is a CSR and How Do I Get One?
  6. What’s the Difference between a Public and Private Trust Certificate?
  7. How to Build an SSL/TLS Certificate | The Five Simple Steps That Bring You to HTTPS

Additional Resources
How Does SSL/TLS Work?
Bi-Weekly Certificate Management Demo