Introduction: The Critical Importance of Certificate Planning
In 2025, SSL/TLS certificates are foundational to security infrastructure, yet many organizations approach certificate procurement reactively—often scrambling when domains near expiration. This article focuses on Stage 1 (Planning) and Stage 2 (Procurement) of the SSL/TLS certificate lifecycle, demonstrating how thoughtful planning prevents outages, reduces costs, and ensures compliance.
The stakes have never been higher:
- Certificate validity shrinking dramatically: March 2026 reduces maximum certificate lifetime to 200 days (down from 398 days). By March 2029, it drops to just 47 days. This transforms certificate management from "annual renewal" to "monthly renewal."
- Automation is mandatory: Manual processes fail at 47-day lifespans. Organizations must implement ACME automation, continuous monitoring, and incident response playbooks now.
- Regulatory compliance: GDPR (breach notification), HIPAA (healthcare), PCI-DSS (payment cards), and SEC regulations require documented certificate management procedures.
Cost of poor certificate planning:
- Certificate expiration outages: Average $5,600/minute downtime cost (Gartner)
- Security incidents from compromised keys: Breach notification costs $4.45M average (IBM)
- Compliance violations: GDPR fines up to 4% of annual revenue
This guide walks through strategic planning (requirements analysis, CA selection, automation strategy, private key security) and tactical procurement (private key generation, CSR creation, format conversion) using our three integrated tools: Certificate CSR Generator, Certificate Transparency Lookup, and X.509 Decoder.
Stage 1: Planning & Certificate Strategy (1-2 Hours)
Step 1.1: Infrastructure Inventory & Requirements Analysis
Before purchasing or requesting certificates, you must understand what certificates you actually need. Many organizations over-provision (buying more SANs than necessary) or under-provision (missing critical subdomains).
Certificate Needs Assessment Checklist:
-
Identify all domains and subdomains:
- Primary domain: example.com
- WWW subdomain: www.example.com
- Staging environment: staging.example.com
- API endpoints: api.example.com, v2-api.example.com
- Admin dashboards: admin.example.com
- Wildcard coverage: *.internal.example.com
-
Classify by certificate type:
- Single domain certificates: Secure one specific domain only
- Wildcard certificates: Secure domain + all first-level subdomains (*.example.com)
- Multi-domain (SAN) certificates: Secure multiple specific domains in one certificate
- Wildcard SAN certificates: Combination of wildcard + specific domains
-
Determine validation level:
- DV (Domain Validation): Automated, 5-30 minutes, suitable for >95% of use cases
- OV (Organization Validation): Manual verification, 1-3 days, displays organization name
- EV (Extended Validation): Extensive verification, 5-7 days, green address bar (deprecated in most browsers)
Certificate Requirements Matrix Template:
| Domain | Type | Validation | CA | Server | Owner | Renewal Date |
|---|---|---|---|---|---|---|
| example.com | SAN | DV | Let's Encrypt | ALB-prod | DevOps | 2025-04-06 |
| *.internal.example.com | Wildcard | DV | Let's Encrypt | VPN Gateway | Security | 2025-04-06 |
| legacy.example.com | Single | OV | DigiCert | Legacy Server | Legacy Team | 2025-03-15 |
| api.partner.com | SAN | DV | Let's Encrypt | API Gateway | Platform | 2025-06-10 |
Using Certificate Transparency Lookup for Requirements Analysis:
The Certificate Transparency Lookup tool helps identify existing certificates and validates your requirements:
- Search your domains in CT logs
- Discover all currently active certificates
- Identify missing subdomains (compare against your requirements)
- Find unauthorized/unexpected certificates (potential security threat)
- Export certificate inventory as baseline
Example CT search results:
- example.com (DigiCert) - Expires 2025-03-15
- www.example.com (Let's Encrypt) - Expires 2025-04-06
- *.example.com (Not found - missing wildcard)
- old.example.com (Old certificate from 2023 - orphaned)
This analysis prevents embarrassing mistakes like forgetting www subdomain or discovering unexpected certificates from domain takeovers.
Step 1.2: Certificate Authority Selection
Choosing the right Certificate Authority is a strategic decision that affects cost, automation capabilities, support, and compliance. The 2025 landscape offers diverse options—no single "best" choice exists.
Let's Encrypt (Free, Automated)
Let's Encrypt revolutionized certificate provisioning with free, 90-day certificates and ACME automation.
Advantages:
- Free (zero cost for unlimited certificates)
- 90-day validity encourages automation
- ACME protocol enables full automation (renewals happen without human intervention)
- Trusted by all modern browsers (same root trust as commercial CAs)
- Excellent documentation and community support
- Perfect for development, staging, cost-sensitive production
Limitations:
- 90-day validity means frequent renewals (3 years = 12 renewals)
- No Organization Validation (OV) or Extended Validation (EV)
- Wildcard certificates require DNS-01 challenge (email DNS provider must support API)
- Rate limits: 50 certificates per registered domain per week (rarely a constraint)
- No warranty/insurance (not relevant for most organizations)
Best for: Startups, cost-conscious enterprises, development environments, organizations with DevOps automation capabilities
Rate Limit Details:
Per-domain limits (per week):
- 50 certificate limit per registered domain
- 50 duplicate certificate limit per domain (prevents cert spam)
- 100 names per certificate (SAN limit)
Rarely hit in practice—most organizations limit to <5 certs/domain/week
Commercial CAs (DigiCert, Sectigo, GlobalSign, Entrust)
Traditional commercial Certificate Authorities offer extended validity, OV/EV options, and customer support.
Advantages:
- Extended validity (until 2026: 398 days, decreasing to 200/100/47 days per CA/Browser Forum)
- Organization Validation (OV): Displays company name in browser (matters for brand-sensitive applications)
- Extended Validation (EV): Historical "green address bar" (deprecated in modern browsers, mainly irrelevant)
- Warranty/insurance (typically $10k-$1M, rarely enforced)
- Phone support and dedicated account managers
- Compliance certifications (SOC 2, ISO 27001)
- Managed services (certificate lifecycle management, automation)
Limitations:
- Cost: $50-$300/year DV, $200-$1,500/year OV/EV
- Manual workflows with longer issuance times (DV: 5-30 min, OV: 1-3 days, EV: 5-7 days)
- Not all support ACME (Sectigo and DigiCert now support ACME, GlobalSign and Entrust limited)
- Certificate validity shrinking (2026-2029 milestones will require increased management)
Pricing Comparison 2025:
| CA | DV/year | OV/year | EV/year | ACME | Wildcard |
|---|---|---|---|---|---|
| Let's Encrypt | $0 | N/A | N/A | Yes | Yes (DNS-01) |
| Sectigo | $60-$100 | $200-$400 | $400-$800 | Yes | Yes |
| DigiCert | $150-$200 | $400-$800 | $800-$1,500 | Yes | Yes |
| GlobalSign | $100-$150 | $300-$600 | $600-$1,200 | Limited | Yes |
| Entrust | $80-$120 | $250-$500 | $500-$1,000 | Limited | Yes |
Best for: Enterprises with brand sensitivity (OV display), highly regulated industries (banking, healthcare requiring audits), organizations needing premium support
Cloud-Native Solutions (AWS ACM, Azure Key Vault, GCP Certificate Manager)
Cloud providers offer integrated certificate management tightly coupled to their infrastructure.
AWS Certificate Manager (ACM):
- Free for AWS resources (ALB, CloudFront, API Gateway, ELB)
- Auto-renewal 60 days before expiration (no manual intervention)
- DNS validation (integrates with Route 53)
- Email validation (for non-AWS resources)
- Limitations: Only for AWS services; can't export certificates for use elsewhere
Azure Key Vault:
- Integrated certificate import/generation
- Supports multiple CAs (DigiCert, Let's Encrypt, GlobalSign)
- Auto-renewal for supported CAs
- RBAC for access control
- Limitations: Primary benefit to Azure services; pricing varies by CA
GCP Certificate Manager:
- Managed certificates with auto-renewal
- DV certificates only
- 30-day pre-expiration renewal
- Integrates with Cloud Load Balancing
- Limitations: GCP services primarily; limited CA options
Advantages of Cloud-Native:
- Free or low-cost (AWS ACM is free)
- Automatic renewal (no manual processes)
- Tight integration with cloud infrastructure
- Centralized management via cloud console
- Built-in high availability and redundancy
Limitations:
- Vendor lock-in (certificates often can't be exported or migrated)
- Limited to cloud provider's services
- Less flexibility for custom requirements
- OV/EV unavailable (DV only for most services)
Best for: Organizations heavily invested in cloud infrastructure, teams leveraging cloud-native security, startups preferring managed solutions
CA Selection Decision Tree:
Is your organization cloud-only (AWS, Azure, GCP)?
├─ YES: Use cloud-native solution (ACM, Key Vault, Certificate Manager)
│ └─ Lower cost, automatic renewal, built-in integration
└─ NO: Continue to next decision
Do you need OV (organization name display) or EV (green bar)?
├─ YES: Use commercial CA (Sectigo, DigiCert)
│ └─ Brand display matters; willing to pay for manual validation
└─ NO: Continue to next decision
Are you building for production with automation?
├─ YES: Use Let's Encrypt (free, ACME)
│ └─ Cost-effective, fully automated, trusted by all browsers
└─ NO (development, testing, legacy systems)
└─ Use Let's Encrypt or internal CA
└─ Minimal cost, suitable for non-production use
Step 1.3: Automation Strategy Selection
The 2025 certificate landscape demands automation. With validity periods shrinking to 47 days by 2029, manual renewal processes will cause organizational chaos. Automated certificate management is now a business imperative.
ACME Protocol Overview:
ACME (Automatic Certificate Management Environment) is the industry standard for certificate automation. It enables:
- Fully automated certificate requests (no portal login needed)
- Programmatic domain validation (DNS or HTTP challenges)
- Scheduled renewals (cron jobs or systemd timers)
- Integration with infrastructure-as-code (Terraform, Ansible)
Popular ACME Clients (2025):
-
Certbot (EFF)
- Most popular ACME client globally
- Supports 100+ DNS and web server plugins
- Excellent documentation
- Integrations: Nginx, Apache, Haproxy, Caddy
- Perfect for: System administrators, single-server deployments
-
acme.sh (Shell Script)
- Pure shell script (no Python dependencies)
- Supports 100+ DNS providers
- Lightweight (small footprint)
- Perfect for: Embedded systems, minimal environments, Docker containers
-
Caddy Web Server
- Built-in ACME support (fully automatic)
- Zero-downtime renewals
- HTTP/2 and HTTPS by default
- Perfect for: New web server deployments, simplicity-focused teams
-
Traefik Proxy
- Reverse proxy with automatic ACME
- Container orchestration integration (Docker, Kubernetes)
- Multi-server support
- Perfect for: Container deployments, microservices
-
cert-manager (Kubernetes)
- Native Kubernetes certificate management
- Supports Let's Encrypt, Vault, cloud CAs
- Automatic renewal and injection into secrets
- Perfect for: Kubernetes clusters, cloud-native applications
DNS-01 vs HTTP-01 Challenge Comparison:
| Aspect | HTTP-01 | DNS-01 |
|---|---|---|
| How it works | ACME client places file at /.well-known/acme-challenge/ | ACME client creates DNS TXT record _acme-challenge.domain |
| Wildcard support | No | Yes |
| Firewall requirements | Port 80 must be publicly accessible | DNS API access required |
| Ease of setup | Simple for public websites | More complex (requires DNS provider API) |
| Validation speed | Immediate | 1-5 minutes (DNS propagation) |
| Behind firewall | Won't work | Works (no public access needed) |
| Revocation scenarios | Can validate immediately | Wait for DNS TTL |
| Best for | Development, single-domain, HTTP/HTTPS migration | Production, wildcards, internal services |
Automation Strategy for Different Environments:
Development & Staging:
Strategy: Certbot with HTTP-01
Renewal frequency: Automatic via systemd timer
Downtime tolerance: High (can restart services)
Cost: $0 (Let's Encrypt)
Complexity: Low
Production (Single Server):
Strategy: Certbot with DNS plugin (Cloudflare, Route 53)
Renewal frequency: Automatic via cron (0 0,12 * * *)
Downtime tolerance: Zero (reload during off-peak)
Cost: $0 (Let's Encrypt)
Complexity: Medium
Production (Multi-Server Load Balanced):
Strategy: Certbot on dedicated renewal server → copy to web servers
OR: Shared certificate storage (S3, Vault) with file sync
Renewal frequency: Automatic with deployment pipeline
Downtime tolerance: Zero (blue-green deployment)
Cost: $0-$50 (Vault or Consul if self-hosted)
Complexity: Medium-High
Production (Kubernetes):
Strategy: cert-manager with Let's Encrypt ClusterIssuer
Renewal frequency: Automatic (30 days pre-expiration)
Downtime tolerance: Zero (pod rolling restart)
Cost: $0 (Let's Encrypt + open-source cert-manager)
Complexity: Medium (requires K8s knowledge)
Cloud-Only Environments:
Strategy: Cloud-native certificates (ACM, Key Vault, Certificate Manager)
Renewal frequency: Automatic (cloud provider manages)
Downtime tolerance: Zero (cloud handles deployment)
Cost: $0-$100 (free for most cloud services)
Complexity: Low (cloud console/CLI)
Step 1.4: Private Key Security Planning
Private keys are the most critical asset in your certificate infrastructure. If compromised, attackers can impersonate your domain, decrypt HTTPS traffic, and establish man-in-the-middle attacks. Private key security requires deliberate planning.
Key Generation Strategy Selection:
- Key Algorithm Choice: RSA vs ECDSA
RSA (Rivest-Shamir-Adleman):
- Industry standard since 1977
- Widely supported by all platforms
- Larger key sizes needed for equivalent security (2048-bit minimum, 4096-bit preferred)
- Slower performance (cryptographic operations take longer)
- Better tooling support in legacy systems
ECDSA (Elliptic Curve Digital Signature Algorithm):
- Modern standard (adopted 2005)
- Smaller key sizes for equivalent security (256-bit = 2048-bit RSA)
- Significantly faster cryptographic operations
- Excellent browser support (all modern browsers)
- Smaller certificate size (saves bandwidth, improves performance)
Recommendation: ECDSA P-256 for new deployments; RSA 4096 for compatibility-critical environments.
- Key Size Selection:
| Algorithm | Minimum | Standard | Recommended | Secure Until |
|---|---|---|---|---|
| RSA 2048 | Industry minimum | Not recommended (limit by 2024-2030) | Legacy support only | 2031 |
| RSA 4096 | Not minimum | Industry standard | High-security deployments | 2050+ |
| ECDSA P-256 | Equivalent to RSA 3072 | Industry standard | New deployments (better performance) | 2050+ |
| ECDSA P-384 | Equivalent to RSA 7680 | High-security only | Government/finance only | 2050+ |
Performance Impact Example:
RSA 2048: ~0.5ms per signature operation
RSA 4096: ~3.5ms per signature operation (7x slower)
ECDSA P-256: ~0.2ms per signature operation (17x faster than RSA 4096)
File Size Impact:
RSA 2048 public key: 294 bytes
RSA 4096 public key: 550 bytes
ECDSA P-256 public key: 91 bytes (6x smaller)
Best practice: Use ECDSA P-256 for new certificates; RSA 4096 for compatibility.
- Hardware Security Module (HSM) Decision Framework:
HSMs are tamper-resistant cryptographic devices that store and use private keys without exposing them to system memory.
When HSM is REQUIRED:
- Financial institutions (PCI-DSS mandates HSM for card processing)
- Government agencies (FIPS 140-2/140-3 compliance)
- Healthcare (HIPAA highly recommended for PHI protection)
- High-value targets (payment processors, large e-commerce, SaaS platforms)
- Compliance frameworks: PCI-DSS, HIPAA, FedRAMP, SOC 2 Type II
When HSM is RECOMMENDED:
- Organizations handling sensitive data (PII, healthcare, financial)
- Multi-tenant environments (isolation between customers)
- High-security requirements (zero-trust architecture)
- Certificate revocation incident risk assessment: High
When HSM is OPTIONAL:
- Startups with low breach risk profile
- Development/staging environments (non-production)
- Low-sensitivity internal services
- Open-source projects
HSM Deployment Options 2025:
| Solution | Cost | Security | Management | Best For |
|---|---|---|---|---|
| On-Premise (Thales Luna, Utimaco) | $50k-$100k upfront | Highest (full control) | Complex (maintenance, backup) | Large enterprises, highest compliance |
| Cloud HSM (AWS CloudHSM) | ~$1.45/hour | Very high (FIPS 140-2) | Managed by AWS | AWS environments, regulatory compliance |
| Cloud HSM (Azure Dedicated) | ~$2.47/hour | Very high (FIPS 140-2) | Managed by Azure | Azure environments, high security |
| Soft Token (Software-based) | $0 | Medium (vulnerable to attacks) | Simple | Development, non-sensitive production |
Key Generation Methods by Environment:
Development/Staging:
openssl genrsa -out private.key 4096
└─ Local file storage, file permissions (chmod 600)
Production (File-Based):
openssl genrsa -out private.key 4096
└─ Encrypted with AES-256
└─ Restricted file permissions (root:root 600)
└─ Secure backup to encrypted storage
└─ Regular audit trail of access
Production (HSM-Based):
pkcs11-tool --module=/usr/lib/softhsm/libsofthsm2.so \\
--login --pin 0000 --keypairgen --key-type EC:prime256v1 \\
--label "production-cert-key"
└─ Keys never leave HSM
└─ FIPS 140-2/140-3 compliance
└─ Audit logging built-in
└─ Hardware backup procedures
Private Key Storage & Backup Best Practices:
-
Access Control:
- Restrict private key file permissions:
chmod 600(owner read/write only) - Limit user accounts: Only web server and cert manager processes
- Network access: Keys never transmitted over network (local files only)
- Document key owners and authorized users
- Restrict private key file permissions:
-
Encryption at Rest:
- Encrypt private key files with AES-256
- Use strong passphrase (20+ characters, generated by password manager)
- Separate encryption key from encrypted key (don't store together)
- Encrypt entire filesystem (dm-crypt, FileVault, BitLocker)
-
Secure Backup:
- Backup encrypted private keys to secure location
- Use encrypted backup media (USB drives, cloud storage with encryption)
- Test backup restoration (ensure you can recover when needed)
- Maintain backup inventory (which keys backed up, when, where)
- Separate backup location from production systems
-
Key Rotation Schedule:
- Rotate private keys every 6-12 months (or per compliance requirements)
- Rotation doesn't require domain re-validation (same domain, new key)
- Use certificate renewal process as opportunity for key rotation
- Archive old keys with encryption for historical compliance
-
Key Compromise Detection:
- Monitor for unauthorized key access (file system auditing)
- Alert on key extraction attempts (HSM provides native audit trails)
- Track key age and last use date
- Incident response plan for key compromise
Key Deliverable from Step 1.4:
- Certificate requirements matrix completed
- CA selection documented with rationale
- Automation strategy approved (Certbot, acme.sh, cert-manager, etc.)
- Private key security policy written (key size, HSM decision, backup plan)
- HSM procurement initiated (if required for compliance)
Stage 2: Certificate Procurement & CSR Generation (30-60 Minutes)
Step 2.1: Private Key Generation Best Practices
Now that you've planned certificate strategy, generate private keys using cryptographically secure methods.
Critical Rules for Private Key Generation:
-
Generate keys on secure systems only
- Never generate on internet-facing servers
- Use dedicated workstation or air-gapped system
- Minimal software (OpenSSL, HSM tools only)
-
Use strong randomness
/dev/urandom(cryptographically secure)- NOT
/dev/random(can block, slower) - HSMs use hardware RNG (built-in entropy source)
-
Never reuse private keys across certificates
- Each certificate gets unique private key
- Compromise of one key doesn't affect others
- Rotation: new key = new certificate (though domain re-validation not required)
-
Document key generation
- Date/time of generation
- System where generated
- Key algorithm and size
- Intended domain and validity period
- Backup location and encryption method
- Owner and authorized users
OpenSSL Private Key Generation Commands:
# RSA 2048-bit (legacy, minimal security)
openssl genrsa -out private.key 2048
# RSA 4096-bit (high security, recommended for RSA)
openssl genrsa -out private.key 4096
# ECDSA P-256 (modern, recommended)
openssl ecparam -genkey -name prime256v1 -out private.key
# ECDSA P-384 (highest security)
openssl ecparam -genkey -name secp384r1 -out private.key
# RSA with encryption (protected with passphrase)
openssl genrsa -aes256 -out private.key 4096
# Prompts for passphrase (20+ characters recommended)
# Remove passphrase when deploying to servers:
openssl rsa -in private.key -out private-nopass.key
Verifying Key Generation:
# View key algorithm and size (RSA)
openssl rsa -in private.key -text -noout | head -5
# View key algorithm and size (ECDSA)
openssl ec -in private.key -text -noout | head -5
# Calculate key fingerprint (used to match with CSR/cert)
openssl rsa -in private.key -pubout | openssl rsa -pubin -text -noout | openssl md5
# Save this fingerprint for verification
HSM-Based Private Key Generation:
# Thales Luna HSM
hsm init
hsm key generate -algorithm RSA -keysize 4096 -label "production-example-com"
hsm key list # Verify key created
# AWS CloudHSM
/opt/cloudhsm/bin/key_mgmt_util
Command: connect -m HOSTNAME
Command: genECKey -t EC_P256 -l "production-example-com"
Command: listKeys # Verify key created
# SoftHSM (testing only, not production)
softhsm2-util --init-token --slot 0 --label mytoken --so-pin 0000 --pin 0000
pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --login \\
--pin 0000 --keypairgen --key-type EC:prime256v1 --label mykey
Step 2.2: Certificate Signing Request (CSR) Creation
A Certificate Signing Request is a digitally signed message containing:
- Your public key (extracted from private key)
- Certificate subject information (domain, organization, country)
- Subject Alternative Names (additional domains)
- Requested certificate validity period
- Signature using your private key (proves you control the key)
CSR Field Explanations:
| Field | Example | Requirement | Notes |
|---|---|---|---|
| CN (Common Name) | www.example.com | Primary domain or wildcard | Can only be one domain (see SANs for multiple) |
| SAN (Subject Alt Name) | example.com, api.example.com | Additional domains | Can include up to 500 domains (varies by CA) |
| O (Organization) | Acme Inc | Required for OV/EV, optional for DV | Legal entity name |
| OU (Org Unit) | IT Security | Optional | Department or division |
| L (Locality) | San Francisco | Required for OV/EV | City (full name, not abbreviation) |
| ST (State/Province) | California | Required for OV/EV | Full name (NOT "CA", use "California") |
| C (Country) | US | Required for all | Two-letter ISO country code |
Common CSR Mistakes to Avoid:
-
Using IP address as Common Name: CAs reject IP-based CNs. Use domain names only.
WRONG: CN=192.168.1.1 RIGHT: CN=server.example.com -
Abbreviating State/Province: CAs require full state names.
WRONG: ST=CA RIGHT: ST=California -
Forgetting base domain in SANs: If CN=www.example.com, include SAN=example.com
WRONG: CN=www.example.com, SAN=(only www.example.com) RIGHT: CN=example.com, SAN=(example.com, www.example.com) -
Including port numbers in domain: Remove port numbers entirely.
WRONG: CN=example.com:443 RIGHT: CN=example.com -
Inconsistent SAN ordering: SANs should be ordered logically.
INCONSISTENT: SAN=(api.example.com, example.com, www.example.com) CLEAN: SAN=(example.com, www.example.com, api.example.com)
Creating CSR with OpenSSL (Manual Command-Line):
# Simple CSR (single domain, no organization)
openssl req -new -key private.key -out server.csr \\
-subj "/C=US/ST=California/L=San Francisco/O=Acme Inc/OU=IT/CN=example.com"
# With SAN extension (multiple domains)
openssl req -new -key private.key -out server.csr \\
-subj "/C=US/ST=California/L=San Francisco/O=Acme Inc/OU=IT/CN=example.com" \\
-addext "subjectAltName=DNS:example.com,DNS:www.example.com,DNS:api.example.com"
# Wildcard certificate
openssl req -new -key private.key -out server.csr \\
-subj "/C=US/ST=California/L=San Francisco/O=Acme Inc/OU=IT/CN=*.example.com" \\
-addext "subjectAltName=DNS:*.example.com,DNS:example.com"
# View CSR contents
openssl req -in server.csr -text -noout
# Verify CSR signature
openssl req -in server.csr -noout -verify
Using Certificate CSR Generator Tool (Recommended):
Our Certificate CSR Generator provides a visual, error-resistant interface for CSR creation:
-
Visual Form Interface:
- Fill certificate details in web form (no command-line needed)
- Dropdown validation for country/state/organization
- Real-time preview of CSR fields
- Built-in error checking (catches abbreviations, IP addresses)
-
Client-Side Security:
- 100% processed in browser (private keys NEVER transmitted)
- No server interaction until download
- Cryptographic operations using JavaScript libraries
- Works offline (download, generate offline, upload CSR)
-
Multi-Domain (SAN) Support:
- Add unlimited domains (CA limit varies)
- Drag-reorder domains
- Validate domain format (prevents typos)
- Set primary domain (Common Name)
-
Advanced Options:
- Choose key algorithm (RSA 2048/4096, ECDSA P-256/P-384)
- Custom validity period (requested, CA may override)
- Organization information fields
- Certificate extensions (OCSPstapling, constraints)
-
Export Formats:
- PEM format (most common)
- DER format (binary, some systems require)
- Encrypted PEM (protection with passphrase)
Example CSR Contents (text view):
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = US, ST = California, L = San Francisco, O = Acme Inc, CN = example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Requested Extensions:
Subject Alternative Name:
DNS:example.com, DNS:www.example.com, DNS:api.example.com
Key Usage: critical
Digital Signature, Key Encipherment
Extended Key Usage:
TLS Web Server Authentication
Signature Algorithm: sha256WithRSAEncryption
CSR Validation Before Submission:
Always verify CSR before sending to CA:
# Check CSR matches private key
openssl req -in server.csr -noout -modulus | openssl md5
openssl rsa -in private.key -noout -modulus | openssl md5
# (Both should output same hash)
# Verify all required fields present
openssl req -in server.csr -noout -text
# Check SAN extension
openssl req -in server.csr -noout -text | grep -A2 "Subject Alternative Name"
# Verify signature
openssl req -in server.csr -noout -verify
Step 2.3: Certificate Issuance Process
Once CSR is generated, submit to Certificate Authority for validation and issuance. The process varies significantly by CA type.
Let's Encrypt ACME Workflow (Most Common):
# Certbot - simplest Let's Encrypt method
certbot certonly \\
--standalone \\
-d example.com -d www.example.com
# Process flow:
# 1. Certbot generates private key and CSR (if not provided)
# 2. Submits CSR to Let's Encrypt via ACME protocol
# 3. Let's Encrypt issues authorization challenges (HTTP-01 or DNS-01)
# 4. Certbot completes challenge (places file on web server or DNS record)
# 5. Let's Encrypt validates domain ownership
# 6. Certificate issued (typically <2 minutes)
# 7. Certbot stores cert, key, chain to /etc/letsencrypt/live/
# Result files:
# /etc/letsencrypt/live/example.com/cert.pem (certificate only)
# /etc/letsencrypt/live/example.com/privkey.pem (private key)
# /etc/letsencrypt/live/example.com/chain.pem (intermediate cert)
# /etc/letsencrypt/live/example.com/fullchain.pem (cert + chain)
Commercial CA Workflow (DigiCert, Sectigo Example):
-
Log into CA's certificate management portal
- Create account with verified email
- Add organization details (verified once, reused)
-
Submit CSR
- Copy CSR content (from openssl req or CSR Generator)
- Paste into CA's "Request Certificate" form
- Verify certificate details extracted from CSR
- Confirm domain list and SAN extensions
-
Complete Domain Validation (DV only)
- Email validation: CA sends confirmation link to domain's admin email
- DNS validation: Add TXT record with CA-provided value
- File validation: Place file at
/.well-known/acme-challenge/token - HTTP redirect: Confirm HTTP redirects to HTTPS
- Takes 5-30 minutes for most DV certificates
-
Business Verification (OV only)
- CA phones organization contact
- Verifies business registration (legal documents)
- Confirms domain ownership
- Takes 1-3 days for OV issuance
-
Extended Validation (EV only)
- Extensive business verification (rarely used in 2025)
- Government business registration check
- Dun & Bradstreet verification
- Personal ID verification of authorized signers
- Takes 5-7 days (mostly irrelevant due to browser deprecation)
-
Download Certificate Files
- Certificate file (.crt, .cer, or .pem)
- Intermediate chain bundle (.ca-bundle or .p7b)
- Root certificate (usually pre-installed in browsers)
- Download in requested format (PEM, DER, PFX)
Example Commercial CA submission (Sectigo):
1. Log into sectigo.com dashboard
2. Click "Order New Certificate" → Select product type (DV, OV, EV)
3. Choose certificate type: Single, Wildcard, Multi-Domain (SAN)
4. Paste CSR content into text field
5. Verify extracted details (domain, SANs, organization)
6. Add approver email (domain admin): [email protected]
7. Select validation method: Email (automatic, most common)
8. Payment processing (credit card, invoice, prepaid credit)
9. Receive validation email at [email protected]
10. Click confirmation link in email
11. Certificate issued and available for download
12. Download in formats: PEM, DER, PFX
Cloud-Native Certificate Issuance:
AWS ACM (Certificate Manager):
# Request certificate via AWS CLI
aws acm request-certificate \\
--domain-name example.com \\
--subject-alternative-names www.example.com api.example.com \\
--validation-method DNS \\
--region us-east-1
# Returns: {
# "CertificateArn": "arn:aws:acm:us-east-1:ACCOUNT:certificate/ID"
# }
# For domain validation, create CNAME records in Route 53:
aws acm describe-certificate --certificate-arn ARN --query 'Certificate.DomainValidationOptions'
# ACM automatically validates and issues (typically <5 minutes)
# Auto-renewal begins 60 days before expiration (no manual action)
Azure Key Vault:
# Import existing certificate
az keyvault certificate import \\
--vault-name mykeyvault \\
--name mycertificate \\
--file certificate.pfx \\
--password "certpassword"
# Generate new certificate (limited CA options)
az keyvault certificate create \\
--vault-name mykeyvault \\
--name mycertificate \\
--policy @certificate-policy.json
GCP Certificate Manager:
# Create managed certificate (auto-renewal included)
gcloud certificate-manager certificates create example-com \\
--domains="example.com,www.example.com" \\
--location=global
# GCP manages validation and renewal automatically
# 30-day pre-expiration renewal (transparent to applications)
Step 2.4: Certificate Format Conversion
Certificates are issued in standard formats (PEM, DER, PFX), but different platforms require different formats. Format conversion is essential for deployment.
Certificate Format Overview:
| Format | File Extension | Encoding | Content | Use Case |
|---|---|---|---|---|
| PEM | .pem, .crt, .cer | Base64 text | Single or multiple certificates | Apache, Nginx, AWS, Google |
| DER | .der, .cer, .crt | Binary | Single certificate | Java, Windows, legacy systems |
| PFX/PKCS#12 | .pfx, .p12 | Binary | Certificate + private key + chain | Windows IIS, load balancers |
| P7B/PKCS#7 | .p7b, .p7c | Base64 text | Certificate chain (no private key) | Windows, some utilities |
| JKS | .jks | Binary | Java keystore format | Java applications, Tomcat |
Format Conversion Decisions:
Choose based on deployment target:
Apache/Nginx → Use PEM (.pem files)
├─ Provides: server.crt (certificate), server.key (private key), server.ca-bundle (chain)
└─ Example: ssl_certificate /etc/nginx/ssl/server.crt;
Windows IIS → Use PFX (.pfx with password)
├─ Single file includes cert + key + chain
└─ Import via Certificate Manager
Java/Tomcat → Use JKS keystore
├─ Import PEM files to JKS format
└─ Create with keytool utility
AWS Load Balancer → Use PEM (plain files or ACM)
├─ Upload certificate body and private key separately
└─ Optional: upload certificate chain
Google Cloud → Use PEM
├─ Concatenate certificate + chain files
└─ Upload as single file
Azure App Gateway → Use PFX
├─ Import with password
└─ Or use Key Vault integration
Converting PEM to DER:
# Single certificate
openssl x509 -in certificate.pem -outform DER -out certificate.der
# Verify conversion
openssl x509 -in certificate.der -inform DER -text -noout
Converting PEM to PFX (with private key):
# Create PFX from certificate, chain, and private key
openssl pkcs12 -export \\
-in certificate.pem \\
-inkey private.key \\
-certfile chain.pem \\
-out certificate.pfx \\
-name "example.com" \\
-passout pass:YourSecurePassword
# Verify PFX contents
openssl pkcs12 -in certificate.pfx -nokeys -info -passin pass:YourSecurePassword
Converting PEM to P7B (certificate chain without private key):
# Create P7B from certificate and chain
openssl crl2pkcs7 -nocrl \\
-certfile certificate.pem \\
-certfile chain.pem \\
-out certificate.p7b
# Verify P7B contents
openssl asn1parse -in certificate.p7b | head -20
Converting to Java Keystore (JKS):
# Option 1: From PFX
keytool -importkeystore \\
-srckeystore certificate.pfx \\
-srcstoretype PKCS12 \\
-srcstorepass pfx-password \\
-destkeystore keystore.jks \\
-deststoretype JKS \\
-deststorepass jks-password
# Option 2: Create JKS from PEM files
# First convert PEM to PKCS12
openssl pkcs12 -export \\
-in certificate.pem \\
-inkey private.key \\
-certfile chain.pem \\
-out certificate.p12 \\
-passout pass:password
# Then import to JKS
keytool -importkeystore \\
-srckeystore certificate.p12 \\
-srcstoretype PKCS12 \\
-srcstorepass password \\
-destkeystore keystore.jks \\
-deststoretype JKS \\
-deststorepass password
# Verify JKS keystore
keytool -list -v -keystore keystore.jks -storepass password
Using Certificate CSR Generator for Format Conversion:
The Certificate CSR Generator tool includes format conversion capabilities:
- Upload certificate file (PEM, DER, or PFX)
- Select target format (destination format)
- Conversion parameters:
- Password (for PFX output)
- Include chain (for PFX/P7B)
- Include private key (for PFX)
- Download converted file (100% client-side conversion)
Format Verification After Conversion:
# Verify PEM certificate
openssl x509 -in certificate.pem -text -noout | head -20
# Verify DER certificate
openssl x509 -in certificate.der -inform DER -text -noout | head -20
# Verify PFX certificate and key present
openssl pkcs12 -in certificate.pfx -passin pass:password -noout -info
# Verify P7B chain
openssl asn1parse -in certificate.p7b | grep -c "SEQUENCE"
# (Should show multiple SEQUENCE entries for each certificate in chain)
# Verify JKS keystore
keytool -list -v -keystore keystore.jks -storepass password | grep -A2 "Owner:"
Common Mistakes & How to Avoid Them
1. Forgetting Base Domain in Wildcard Certificate
WRONG: Certificate for *.example.com only
├─ Covers: api.example.com, www.example.com, mail.example.com
└─ DOES NOT cover: example.com (base domain fails)
CORRECT: Wildcard SAN certificate
├─ CN: example.com
├─ SAN: *.example.com, example.com
└─ Covers: example.com AND all first-level subdomains
Prevention: Always include base domain in SAN for wildcards.
2. Using Wrong State/Province Abbreviations
WRONG: ST=CA (state abbreviation)
CORRECT: ST=California (full state name)
WRONG: ST=BC (Canadian abbreviation)
CORRECT: ST=British Columbia (full province name)
Prevention: Use full state/province names, not abbreviations. CA won't issue if abbreviated.
3. Reusing Private Keys for Multiple Certificates
WRONG: Same private.key for example.com AND example.org
└─ If private.key compromised, attacker can sign traffic for both domains
CORRECT: Separate key for each domain
├─ example.com: key-example.key
├─ example.org: key-example-org.key
└─ Compromise of one key affects only that domain
Prevention: Generate new private key for each certificate. Never share keys between domains.
4. Forgetting Domain Validation Records
WRONG: Submit DV CSR, then assume immediate issuance
└─ CA waits for email confirmation or DNS record (never checks)
CORRECT: DV process
1. Submit CSR
2. Receive validation email from CA
3. Click confirmation link in email
4. CA re-validates, then issues certificate
Prevention: Actively complete validation steps. Check email inbox (including spam). Don't assume automatic validation.
5. Mismatching Certificate & Private Key
WRONG: Install cert-example-com.pem with key-example-org.key
└─ HTTPS fails: "certificate verification failed"
CORRECT: Verify match before deployment
openssl x509 -noout -modulus -in cert.pem | openssl md5
openssl rsa -noout -modulus -in key.pem | openssl md5
# Both commands should output identical hash
Prevention: Always verify certificate-key pairing before deployment. Use tool X.509 Decoder to validate cert-key match.
6. Uploading Private Key to Public CA Portal
WRONG: Upload private.key to Let's Encrypt, Sectigo, DigiCert web portal
└─ Private keys transmitted over internet, stored on CA servers
CORRECT: Never upload private keys
├─ Only upload CSR (public key, not private)
└─ Download only: certificate file (not private key)
Private key generation:
1. Generate locally on secure system
2. Create CSR from private key (CSR contains public key)
3. Submit CSR to CA (leave private key on your system)
4. Receive certificate from CA (separate from private key)
Prevention: Use CSR-based workflow exclusively. Never upload private keys. Generate keys locally, keep locally.
7. Choosing Wrong Certificate Type for Requirements
WRONG: Single-domain certificate when you need multiple subdomains
└─ Forces purchasing separate certs for each subdomain (expensive)
CORRECT: Assessment
├─ Few subdomains (2-5): Multi-domain (SAN) certificate
├─ Many subdomains (10+): Wildcard certificate
├─ Mix of domains: Wildcard SAN certificate
└─ Save money and complexity
Prevention: Map all required domains before purchasing. Use Certificate Transparency Lookup to find existing certs and plan procurement.
Key Deliverables from Planning & Procurement
From Stage 1 (Planning):
- Certificate requirements matrix (domains, types, validation levels)
- CA selection documented with cost/benefit analysis
- Automation strategy approved (Certbot, acme.sh, cert-manager, etc.)
- Private key security policy (RSA vs ECDSA, key sizes, HSM decision)
- Compliance requirements documented (PCI-DSS, HIPAA, SOC 2)
From Stage 2 (Procurement):
- Private keys generated and securely stored
- Certificate Signing Requests created for all certificates
- Certificates issued from chosen CAs
- Certificate files downloaded and validated
- Format conversions completed for target platforms
- All files documented in centralized certificate inventory
- Backup procedures tested and documented
Connecting to the Broader Certificate Lifecycle
This article covers Stage 1 (Planning) and Stage 2 (Procurement). The complete certificate lifecycle includes:
- Stage 1: Planning & Strategy (this article) - Requirements analysis, CA selection, automation strategy, key security
- Stage 2: Procurement & CSR (this article) - Private key generation, CSR creation, certificate issuance
- Stage 3: Installation & Deployment - Web server configuration, load balancer setup, chain verification
- Stage 4: Validation & Security Testing - Certificate analysis, SSL/TLS testing, security headers
- Stage 5: Monitoring & Alerting - Expiration monitoring, CT monitoring, incident escalation
- Stage 6: Automated Renewal - Certbot, acme.sh, cert-manager, cloud-native auto-renewal
- Stage 7: Emergency Revocation - Certificate compromise response, revocation procedures, incident recovery
- Stage 8: Advanced Optimization - HSM integration, multi-CA strategy, certificate pinning, internal PKI
Read the complete overview at SSL/TLS Certificate Lifecycle Management for the full workflow.
Conclusion
Successful certificate planning and procurement prevent outages, reduce costs, and ensure security. By investing 1-2 hours in Stage 1 (Planning) and 30-60 minutes in Stage 2 (Procurement), you avoid expensive mistakes and establish a solid foundation for automated certificate lifecycle management.
Critical takeaways:
- Plan certificate requirements before procurement (use Certificate Transparency Lookup to audit existing certs)
- Choose the right CA for your requirements (Let's Encrypt for automation, commercial CAs for OV/EV)
- Implement ACME automation strategy (Certbot, cert-manager, or cloud-native solutions)
- Generate private keys securely with proper backup and access controls
- Create CSRs with accurate domain information using CSR Generator tool
- Validate certificates before deployment using X.509 Decoder tool
- Document everything for compliance and incident response
As certificate validity periods shrink to 47 days by 2029, the planning and automation steps described in this article transition from "best practice" to "business critical." Organizations that implement proper certificate lifecycle management in 2025 will effortlessly handle the dramatic changes ahead.
