Frequently Asked Questions (FAQs)
Certificate Signing Request (CSR) FAQ
- What is a Certificate Signing Request (CSR)?
- Why do I need a Certificate Signing Request?
- How do I generate a Certificate Signing Request?
- What guidelines should I use when generating a CSR?
- How do I proceed if I get an "Invalid CSR" message during the application or if the "Next" button does not work?
- How do I contact Entrust for additional assistance?
What is a Certificate Signing Request (CSR)? (top)
A Certificate Signing Request (CSR) is a PKCS10 request which is an unsigned copy of your certificate. Entrust Certificate Services will use the Certificate Signing Request (CSR) to generate your signed digital x509 V3 SSL server certificate. Your CSR contains the following:
- Information about your organization (organization name, country, etc...)
- Your Web Server's public key
- A unique mathematical match to your server's private key .
Why do I need a Certificate Signing Request? (top)
The Certificate Signing Request is required by Entrust Certificate Services to generate your digital certificate, and must be submitted to Entrust Certificate Services during the enrollment process. Entrust Certificate Services will issue a new certificate.
How do I generate a Certificate Signing Request? (top)
Your Web Server Technical Manual should be the primary source of information. You may also consult the Server Support section on our web site for instructions on how to generate a CSR.
What guidelines should I use when generating a CSR? (top)
- Do not use special characters or shift characters in the challenge or revocation passphrase. These characters are unsupported. This includes the following: ".,;-@#$%^&!*)(-+=<>?/:
- Do not use special characters or shift characters in the Organization or Organization Unit level. These characters are unsupported. This includes the following: ".,;-@#$%^&!*)(-+=<>?/:
- Do not use a key bit length greater than 2048. Higher bit lengths are not supported.
- CSR should be in Base64 (pem) encoded format. Some FTP and text editor programs might corrupt the format.
- If you are using a Webmethods server, please do not enter a revocation passphrase. Please note that this passphrase is completly separate from the passphrase you entered online during the Entrust certificate enrollment.
- If you are using IKEMAN on a Unix system, please do not use any punctuation characters or special characters when creating the CSR. This includes ".,;-@#$%^&!*)(-+=<>?/:
- Do not use the renewal feature in IIS 5 or 6 from the server certificate wizard, please use the instructions here Microsoft KB Article Q295281. Please note: If you are renewing a certificate from another CA, ie: Verisign please use the same KB Article.
- Do not use a self-signed certificate. This is different from a certificate signing request (CSR) PKCS10 request.
A CSR should look similar to the following:
-----BEGIN NEW CERTIFICATE REQUEST-----
-----END NEW CERTIFICATE REQUEST-----
The Certificate Signing Request (CSR) begins with the line
"----BEGIN CERTIFICATE REQUEST----- " and ends with the line "-----END CERTIFICATE REQUEST-----".
Please be sure to include these lines when submitting your Certificate Signing Request (CSR) during the online enrollment process.
How do I proceed if I get an "Invalid CSR" message during the application or if the "Next" button does not work? (top)
This error will occur when the Certificate Signing Request (CSR) is improperly formatted (i.e., spaces or carriage returns breaking the encoded data). For general CSR guidelines, please see question 4 or refer to our web server documentation. If your CSR is still rejected, you should generate a new CSR on your Web Server and retry the enrollment process. Our Support Team is available to help you.
How do I contact Entrust for additional assistance? (top)
If you have additional questions, or need information, please contact Entrust Support by calling 866-267-9297 (1-613-270-2680 outside of North America), Monday through Friday 8:00 AM to 6:00 PM Eastern Time or click here to log a service request or email us at firstname.lastname@example.org