The life cycle of each SSL certificate encompasses three primary stages: activation, validation of domain ownership (and sometimes company ownership), and installation of the certificate file on the server hosting the website. To establish a secure HTTPS:// connection displayed in the address bar, it is essential to comprehend this three-stage process, which commences with the generation of the CSR code.
How to correctly specify the domain in a CSR?
CSR, short for Certificate Signing Request, constitutes the initial and pivotal step towards obtaining an SSL certificate issued for your domain name. Upon purchasing an SSL certificate, it is initially unassigned to any domain or subdomain name. The CSR code enables you to specify the exact (sub)domain for which you desire the certificate to be issued. This code can be generated either through your hosting software or by your hosting provider, utilizing provided how-to manuals. Typically, you will be prompted to furnish the following information:
- Organization (O)
- Organizational Unit (OU)
- Country (C)
- State (S)
- Locality (L)
- Common Name (CN)
Here is how a CSR code looks like:
—–BEGIN CERTIFICATE REQUEST—–
MIIByjCCATMCAQAwgYkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9yb
mlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGU
*** More encoded data here***
gSW5jMR8wHQYDVQQLExZJbmZvcm1hdGlvbiBUZWNobm9sb2d5MRcwFQYDVQQD
Ew53d3cuZ26iNh8f8z0ShGsFqjDgFHyF3o+lUyj+UC6H1QW7bn
—–END CERTIFICATE REQUEST—–
If all the aforementioned points are self-explanatory, “common name” part deserves some additional details. Common name is one (or more) host name(s) associated with the SSL certificate. In other words, this is a Fully Qualified Domain (or subdomain) Name (FQDN) that you would like to see HTTPS-accessible. However, we need to keep in mind that, when issued, the SSL certificate will be valid only for the exact FQDN indicated in your CSR code, and HTTPS access to subdomains will result in a browser warning. Let us check the example for a better understanding:
SSL certificate activated with the CSR code generated for www.example.com will not cover security.example.com or any other subdomain of example.com. It will be valid only for the FQDN indicated in the CSR. On the other hand, SSL activated with the CSR code generated for security.example.com, will cover neither www.example.com, nor example.com.
CSR code needs to be generated in accordance with certain rules. General request is alphanumeric characters and no special characters like ! @ # $ % ^ ( ) ~ ? > < & / \ , . ” ‘ _. More details can be checked here. Please avoid a passphrase during CSR code generation. The Challenge Password is the CSR attribute that specifies a password by which an entity may request a certificate revocation. Such a practice was deprecated long ago and nowadays is considered obsolete.
Nowadays, IDN domain names (International Domain Names) gain more popularity. If you have registered such a domain name, you definitely can secure it with an SSL certificate. In this case your domain name needs to be converted into punycode and indicated in the CSR code as a common name. Feel free to use this converter for this purpose.
This is definitely worth mentioning that there are SSL certificates that can cover both www.example.com and example.com. COMODO CA (now Sectigo CA) has been offering this option for already quite a long time.
The below table with examples might be useful during CSR code generation.
SINGLE DOMAIN SSL CERTIFICATES
Desired result | CSR code needs to be generated for… | SSL certificates with an available option |
---|---|---|
https://www.example.com and https://example.com | You can generate your CSR code either for www.example.com or for example.com. Your certificate will cover both host names. | PositiveSSL EssentialSSL InstantSSL InstantSSL Pro PremiumSSL EV SSL |
WILDCARD SSL CERTIFICATES
Desired result | CSR code needs to be generated for… | SSL certificates with an available option |
---|---|---|
https://example.com https://www.example.com https://subdomain.example.com https://subdomain1.example.com https://anything.example.com *unlimited* | CSR code needs to be generated for *.example.com. Such a certificate will cover an unlimited amount of one level subdomains that can be placed instead of an asterisk. Base domain (example.com) is covered as well. | PositiveSSL Wildcard Essential Wildcard PremiumSSL Wildcard |
https://subdomain.example.com https://subdomain1.subdomain.example.com https://subdomain2.subdomain.example.com https://subdomain3.subdomain.example.com https://subdomain4.subdomain.example.com *unlimited* | CSR code needs to be generated for *.subdomain.example.com. Such a certificate will cover an unlimited amount of one level subdomains that can be placed instead of an asterisk. Base domain (subdomain.example.com) is covered as well, but not example.com. | PositiveSSL Wildcard Essential Wildcard PremiumSSL Wildcard |
NB: Wildcard certificates cannot be activated with the CSR code generated for *.*.example.com or *.*.subdomain.example.com
MULTI-DOMAIN SSL CERTIFICATES
Desired result | CSR code needs to be generated for… | SSL certificates with an available option |
---|---|---|
https://www.example.com https://example.com https://domain.net https://www.domain.net https://subdomain.domain.net https:// domain.org https://subdomain.domain.org *any combination of subdomain or domain names and TLDs* | CSR code needs to be generated for all the domain or subdomain names you would like to secure with an SSL certificate. However, if your web server software does not allow it, you can generate it for one domain name and type others manually during the activation process. | PositiveSSL Multi-Domain EV Multidomain SSL Multi-Domain SSL Unified-Communications |
NB: PositiveSSL Multi-Domain, EV Multidomain SSL, Multi-Domain SSL and Unified-Communications can secure up to 100 domain or subdomain names. Bare domain (example.com) and its www-subdomain (www.example.com) need to be indicated separately in the CSR code.
Please keep in mind that CSR code for these certificates should contain two (sub)domain names minimum (if the certificate is purchased as a Multi-Domain one, of course). Otherwise, it will not be possible to activate it and add other domain names later on, when needed. If there is no option to generate a CSR code for multiple hostnames using your hosting software, an additional domain name can be added manually during the activation process.
If there is any concern regarding the most suitable SSL certificate type, common name in the CSR code, certificate activation procedure or any other – please do not hesitate to contact us at your best convenience via Live Chat. Our doors are 365/24/7 open for you!