“CSR generation” refers to creating a standardized certificate request (typically PKCS#10) that is submitted to a Certificate Authority (CA) to obtain a digital certificate. A CSR contains the public key, subject identity information (e.g., Common Name, organization), optional Subject Alternative Names (SANs such as DNS names or IP addresses), desired certificate purposes (Key Usage, Extended Key Usage), and a cryptographic signature made with the corresponding private key. The output is usually a PEM or DER file sent to a public or private CA. Common use cases include TLS/SSL for websites and APIs, mTLS for services/VPNs, S/MIME email, code signing, and device/IoT identities.
Key pair generation: Create secure keys (e.g., RSA, ECDSA, Ed25519) with selectable key sizes/curves and hash algorithms (e.g., SHA-256).
Subject & SAN editor: Maintain CN, O, OU, L, ST, C and Subject Alternative Names (DNS, IP, URI, email); support for wildcards and IDNs.
Purpose settings: Configure Key Usage / Extended Key Usage (e.g., TLS server/client, code signing, email protection).
Format & encoding options: Output PKCS#10 as PEM or DER; display/download the CSR and optional fingerprint.
HSM/TPM/KMS integration: Hardware-backed key generation and signing (non-exportable private keys), FIPS-compliant modes.
Validation & linting: Check syntax and policies against relevant RFCs and internal/CA rules (e.g., field lengths, allowed algorithms, SAN requirements).
Templates & policies: CSR templates with predefined fields/naming conventions; enforce minimum key sizes and EKUs.
Automation & APIs: CLI/REST interfaces, ACME client support (for automated issuance/renewal), scripting and pipeline integration.
Bulk & series generation: Batch CSRs for server fleets, IoT batches, or enterprise endpoints via MDM.
Workflow & tracking: Approval steps, linkage to tickets/CMDB, end-to-end status tracking from CSR to certificate issuance.
Ecosystem integration: Connectors to internal PKI/CA systems (e.g., AD CS, EJBCA, Vault PKI), directory services, and secret managers.
Roles & auditing: RBAC and audit logs for key creation, CSR export, and approvals.
Lifecycle support: Renewal/rotation (re-key), expiry notifications, mapping CSRs to existing certificates.
An IT team creates a CSR with SAN entries (example.com, www.example.com, api.example.com) to request a public TLS certificate.
In a CI/CD pipeline, each microservice automatically generates a key pair and CSR, which the internal CA signs for mTLS.
An MDM platform triggers on-device key creation in a TPM, builds a CSR, and obtains an S/MIME certificate for signed/encrypted email.
A manufacturer produces batch CSRs for thousands of IoT devices; the vendor CA signs them to provide device identities for cloud onboarding.
A build system creates a CSR for a code-signing certificate to cryptographically sign software releases.
A team replaces expiring certificates: the platform generates new CSRs (re-key) per policy and initiates centralized renewal.