CSR File vs. Provided Certificate

There are 2 main ways to obtain Certificates for your SSL (Secure Sockets Layer) to protect your communications over the internet. The first way is to use a third party provided Certificate and the second is to generate your own CSR(Certificate Signing Request) file and use that to generate your digital Certificate.

            A CSR file is generated by an entity (typically a server or an individual) that wants to obtain a digital certificate from a Certificate Authority (CA). The CSR contains information about the entity, such as its domain name, organization details, public key, and other relevant details. When you generate a CSR, you essentially request the CA to create a digital certificate for you.

An example of a set of commands you could run to create your own CSR file are shown below.

• Generate a private key on your server.

“Path to”\keytool -genkey -alias epm_ssl -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -dname "CN=Server Name, OU=IT Operations, O=ABC CORP, L=Anywhere, ST=STATE, C=US" -keypass <Password> -keystore “Path to”\cacerts -storepass <Password>

            * You can choose the password you want to use.

• Create a CSR file containing your public key and relevant information about your organization.

“Path to”\keytool -certreq -v -alias new_ssl -file “Path to”\ServerName.csr -sigalg SHA256withRSA -keypass <Password> -keystore “Path to”\cacerts -storepass <Password>

-alias can be called whatever you would like I used “new_ssl” just for this example.

-file is where you want to put the csr and what you want to call it.

• Submit the CSR to a CA.

• The CA uses the information in the CSR to create a digital certificate that binds your public key to the provided information.

• The CA signs the certificate with its private key, forming a trusted link between your public key and your identity.

• The CA provides you with the signed certificate.

A third party provided certificate refers to a digital certificate that is already generated and signed by a Certificate Authority. Instead of generating a CSR and having it signed by a CA, you receive a certificate that is ready to be used. This might happen in scenarios where a third party, such as a hosting provider or a service, manages the certificate issuance process on your behalf. They handle the generation of the private key, CSR, and obtaining the signed certificate from a CA.

      Generating your own CSR does take a few steps but it will give you more control over the private key and your own security while using a third party certificate is an easier way to obtain your certificate you do give up some of your control over your cryptographic keys and certificate details.