When you need a CSR
You don’t need one for the common case. The free Wizard flow handles Let’s Encrypt CSRs internally and you never see them. Generate a CSR here when:- You’re buying a paid certificate from DigiCert, Sectigo, GoDaddy, Comodo, GeoTrust, or another commercial CA. They’ll ask for a CSR before issuing.
- You’re getting an Extended Validation (EV) or Organization Validation (OV) cert and need explicit organization fields baked in.
- You’re applying for a wildcard cert at a CA that doesn’t support automated DNS challenges.
Generate a CSR
Pick or generate a key
From the Key dropdown, either generate a new RSA 2048-bit key (the default), or pick an existing key from the Keys tab. The CSR is bound to this key; the eventual certificate will only work with the same key.
List the domains
One per line. Include every hostname the cert should cover.
- Bare domain and www:
mybrand.com,www.mybrand.com. - Subdomains: each one explicitly.
- Wildcards:
*.mybrand.com. Note: many CAs charge more for wildcards or multi-domain (UCC/SAN) certs.
Fill in the organization fields
All required by most CAs:
- City. Full name of the city.
- State. Full name of the state or province.
- Country. From the dropdown.
- Company. Legally-registered business name. For an OV/EV cert, this string ends up in the issued certificate as-is and the CA verifies it.
- Company Division. Optional. Department or team.
- Email. A real, monitored address. Some CAs use this for verification.
Add a passphrase (optional, usually skip)
Some CAs ask for a CSR passphrase as a second factor. cPanel notes that the passphrase is stored unencrypted in the CSR, so don’t reuse a real password. Leave blank unless your CA specifically asks for it.
After the CA issues the cert
Once the CA validates and signs the cert, they email or download a.crt file (sometimes a .zip with several files). Bring it back to cPanel:
- Upload the cert. Paste the issued cert body into the Certificates tab.
- Install it. Either click Install from the cert row, or open Installation, pick the domain, and let cPanel link the cert to the matching key automatically.
- Add the CA bundle if cPanel can’t find one. Most public CAs publish their intermediate chain online and cPanel fetches it. For a private or unusual CA, paste the chain into the CABUNDLE field at install time.
Manage existing CSRs
The list at the top of the page shows every CSR on the account. Most of them are kept around in case you need to retrieve the original CSR text or rebuild from the same key. Per-CSR actions:- View. Reopen the CSR text. Useful if you need to re-paste it into the CA’s order form.
- Delete. Remove the CSR from the server. The matching private key in the Keys tab is not deleted automatically; clean it up separately if it was a one-off.
Common issues
The CA rejected my CSR with 'common name mismatch'
The CA rejected my CSR with 'common name mismatch'
The first domain in your domains list is the Common Name. If your cert is for
mybrand.com but you put www.mybrand.com first, some older CA flows reject it. Reorder the list and regenerate.CA wants Apache 2.x format, but cPanel uses 'something else'
CA wants Apache 2.x format, but cPanel uses 'something else'
cPanel’s CSR is standard PEM. It works with every modern CA. If a CA asks for “Apache 2 format”, what they mean is the same PEM block; just paste the whole
-----BEGIN CERTIFICATE REQUEST----- block.I lost the private key after generating the CSR
I lost the private key after generating the CSR
There’s no recovery. The CA-issued certificate is unusable without the matching private key. Regenerate everything: new key in Keys, new CSR in this tab, contact the CA for a re-issue against the new CSR.