The Certificate Signing Request is the first part of obtaining an SSL certificate.
You have to send a Certificate Signing Request to a Certificate Authority because only they have the commonly agreed-upon authority to sign certificates.
Creating a CSR does not require any knowledge of ACME's backend servers.
ACME cannot generate the CSR for you, because then ACME would be responsible for maintaining security on the generated private key, as well as being responsible for SSL cert renewals. We are not in that business, so we need you to generate the CSR for yourself.
Creating a CSR
A simple way to create a CSR that you would then give to your SSL provider to create the SSL certificate can be found at DigiCert:
Common Name: your-custom-hostname.example.com Organization: Your Organization Department: (optional) City: Your City State / Province: Your State Country: USA Key Size: 2048
Then, click Generate, to generate the 'openssl' command that will actually generate the CSR:
openssl req -new -newkey rsa:2048 -nodes -out your-custom-hostname_example_com.csr -keyout your-custom-hostname_example_com.key -subj "/C=US/ST=Your State/L=Your City/O=Your Organization/OU=(optional)/CN=your-custom-hostname.example.com"
Note: This command is intended for use on a Unix system with the 'openssl' command available.
Here’s a screenshot of the Digicert CSR tool after clicking Generate with the text above as input:
Certificate and Private Key
OpenSSL creates both your private key and your certificate signing request, and saves them to two files:
You can then copy the contents of the CSR file and paste it into the CSR text box into the order form for your SSL certificate provider, who will then generate the actual SSL certificate for you. Once that's done, you will send us "your_common_name.key" as "private key" in the Branded URL Activation form, and with the SSL certificate chain information in the "SSL certificate" section.
Please note that both the certificate and private key begin (and end) with similar text:
Note that there may be multiple certificates in the file you receive from your SSL provider; please include the entire certificate chain.
-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
-----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY-----
Once generated, please cut and paste the certificate and private key into the Branded URL Activation Form.
Finally – and this is very important – keep the generated private key in a secure place; the same level of security you would protect production secrets with. You will need the private key to re-generate your SSL certificate when it expires.