CSR Generation Best Practices: Must SSL Certificate Requests Be Created on the Target Server?


3 views

When dealing with SSL/TLS certificates, a common question arises: Does the Certificate Signing Request (CSR) need to be generated on the exact server where the certificate will eventually be deployed? The answer isn't absolute yes or no, but depends on your infrastructure and security requirements.

CSR generation involves creating a public-private key pair. The private key must remain secure, which is why many recommend generating it on the target server:

# Example OpenSSL command to generate CSR
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

In load-balanced environments, you have three approaches:

  1. Generate separate CSRs/certificates for each server (most secure)
  2. Generate once and securely distribute private keys (common practice)
  3. Use a certificate management system (most scalable)

What matters most isn't where you generate the CSR, but how you handle the private key:

  • Private key should never be transmitted over insecure channels
  • Key files should have strict permissions (chmod 400)
  • Consider using hardware security modules (HSMs) in regulated environments

Major cloud platforms handle this differently:

# AWS Certificate Manager (no CSR needed)
aws acm request-certificate --domain-name example.com

# Azure Key Vault CSR generation
az keyvault certificate create --vault-name myvault --name mycert --policy @policy.json

Modern tools like certbot automate the process:

# Certbot example for automated certificate management
certbot certonly --webroot -w /var/www/html -d example.com

While many documentation sources (including SSL Shopper) state that CSRs must be generated on the target server, the technical reality is more nuanced. The critical requirement isn't physical server location but rather key pair consistency between the CSR and eventual certificate deployment.

# Example: Generating CSR and private key separately
openssl req -new -newkey rsa:2048 -nodes -keyout example.key -out example.csr

The fundamental requirement is that:

  1. The private key used in CSR generation must be available on the server(s) where the certificate will be installed
  2. The CSR metadata (FQDN, organization details) must match the server's intended use

For multi-server environments, consider these approaches:

Centralized CSR Generation

# Generate once then distribute key+cert
scp example.key example.crt user@server1:/etc/ssl/
scp example.key example.crt user@server2:/etc/ssl/

Automated Provisioning

Using tools like HashiCorp Vault for dynamic certificates:

# Vault PKI example
vault write pki/issue/server common_name="cluster.example.com" ttl="8760h"

While technically possible to move keys between servers, best practices dictate:

  • Generate CSRs in secure environments
  • Use hardware security modules (HSMs) for production keys
  • Rotate certificates regularly (especially in clusters)

Some CAs may enforce origin-server generation through:

  • IP-based validation
  • Proof-of-possession challenges
  • Key usage restrictions

Always verify with your specific CA before implementing multi-server certificate strategies.