Generate a Private Key and Certificate Signature Request (CSR) from your Web Server


Prior to enrolling/reissuing/renewing a Certificate, you must generate a minimum of 2048-bit Private Key and CSR pair from your web server.

Digital IDs make use of a technology called Public Key Cryptography, which uses Public and Private Key files.

The Public Key, also known as a Certificate Signature Request (CSR), is the key that will be sent to thawte. The Public Key is generated on your server and validates the computer-specific information about your web server and Organization when you request a Certificate from thawte.

The Private Key will remain on the server and should never be released into the public. thawte does not have access to your Private Key. It is generated locally on your server and is never transmitted to thawte. The integrity of your Digital ID depends on your Private Key being controlled exclusively by you.

A CSR can not be generated without generating a Private Key file. Similarly the Private Key file can not be generated without generating a CSR file. In certain web server software platforms like Microsoft IIS, both are generated simultaneously through the Wizard on the web server.

Typically, you will be prompted to enter the following information about your Organization in order to generate the Private Key and CSR (Public Key) pair from the web server:

  • Organization Name

  • Organizational unit: This maybe either a Sole Proprietorship, Trading As, University Department, University Administration, Government Department, Doing Business As, University Faculty, Public (Listed) Company, Private (Unlisted) Company, Registered Non Profit Organization, Non-Government Organization, Interest Group, Registered Charity.

  • Country Code

  • State or Province

  • Locality

  • Common Name: This is the name that distinguishes the Certificate best, and ties it to your Organization. Here you need to enter your exact host and domain name that you wish to secure. This may also be the root server or intranet name for your Organization.


    • If you wish to secure, then you need to enter as the Common Name. If you just enter as the Common Name (without the host www), then the Certificate will only get issued to Similarly, if you need to secure, then you need to mention the Common Name as

    • If you are buying a Wildcard Server Certificate for securing all sub-domains of your domain name, then you need to enter the Common Name as *; otherwise you will get an error while submitting your CSR.

You need to get in touch with your Web Hosting provider and request them to generate a CSR for your business after supplying them the above mentioned information. If you have bought Web Hosting for this domain name with ZHA Company Limited, then you may generate a CSR yourself from your own Control Panel.

  • While generating a Certificate Signature Request (CSR) for a domain name hosted on a Windows server, you need to set a Password that contains only alphanumeric characters. If non alphanumeric characters are included, you will encounter the below error message while enrolling/reissuing/renewing your Digital certificate:

    CSR contains unsupported extensions

  • You need to use a valid 2-letter country code while generating a Certificate Signature Request (CSR).

    Additional Information

    List of valid Country Codes

    Otherwise, you will encounter the below error message while enrolling/reissuing/renewing your Digital certificate:

    CSR contains an invalid 2-letter country code

    This message is also encountered if your generate a Certificate Signature Request (CSR) on an IIS Server, using the Renew Certificate option. Hence, this option is not to be selected while generating the CSR.