CSR is the request format used in the legacy "manual SSL" workflow:
- You generate a public/private keypair on your server.
- You create a CSR containing your public key plus your identity info (domain name, organization, location).
- You submit the CSR to a Certificate Authority (Sectigo, DigiCert, GeoTrust, etc.).
- The CA validates your identity (proving you control the domain, and for OV/EV certs, that your organization is real).
- The CA signs the CSR with their root key, producing your SSL certificate.
- You install the certificate on your server.
For modern automated SSL (Let's Encrypt, ACME protocol), CSRs still happen but the client tool (Certbot, your hosting provider's SSL panel, etc.) generates and submits them automatically. You don't see the CSR — the magic happens behind the scenes.
You'll most likely encounter CSRs when:
- Manually purchasing a paid SSL (OV, EV, Wildcard) from a CA
- Setting up SSL on infrastructure that doesn't support ACME (legacy load balancers, some enterprise gear)
- Generating client certificates for VPN access or mTLS
CSR generation is a 30-second command-line task: openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr. The resulting .csr is a base64-encoded blob you paste into your CA's purchase form.