Trustico® provides an AutoCSR service that simplifies the SSL Certificate ordering process for customers who do not have a Certificate Signing Request (CSR) ready at the time of purchase.
This service automatically generates the necessary cryptographic credentials on your behalf, allowing you to complete your order quickly and receive a fully functional SSL Certificate without the technical complexity of manual Certificate Signing Request (CSR) generation.
The AutoCSR service is particularly valuable for customers who are unfamiliar with server administration, those using hosting environments with limited access, or anyone who simply prefers a streamlined ordering experience.
It is highly recommended that you generate your own Certificate Signing Request (CSR) directly on your server for production environments. Generating the Certificate Signing Request (CSR) on your own server ensures that your Private Key never leaves the secure environment where it will be used, which represents the most secure approach to SSL Certificate deployment. The AutoCSR service is best suited for development environments, testing scenarios, or situations where generating a Certificate Signing Request (CSR) on the server is not practical.
What is AutoCSR
When you place an SSL Certificate order without providing a Certificate Signing Request (CSR), the Trustico® AutoCSR service automatically generates one on your behalf.
A Certificate Signing Request (CSR) is normally created on your web server and contains the Public Key that will be embedded in your SSL Certificate.
The Certificate Signing Request (CSR) also includes identifying information about your domain name and organisation, which the Certificate Authority (CA) uses during the validation process.
If you are not sure how to generate a Certificate Signing Request (CSR), or you would prefer Trustico® to handle it, simply complete your order without one and AutoCSR will take care of the entire process.
The service uses industry-standard RSA-2048 encryption to create a secure key pair that meets all Certificate Authority (CA) requirements and provides strong cryptographic protection for your website visitors. Learn About Certificate Signing Request (CSR) Generation 🔗
How AutoCSR Works
The AutoCSR process follows a secure workflow designed to protect your cryptographic credentials while simplifying the SSL Certificate ordering experience. Understanding each step helps you know what to expect when using this service.
Placing Your Order
You begin by completing the order form with your domain name and organisation details, leaving the Certificate Signing Request (CSR) field empty.
The Trustico® system recognises that no Certificate Signing Request (CSR) has been provided and automatically activates the AutoCSR service for your order.
You do not need to select any special options or pay additional fees, as AutoCSR is included as a standard feature with all Trustico® SSL Certificate orders.
Credential Generation
Once your order is received, the Trustico® system automatically creates a secure RSA-2048 key pair and Certificate Signing Request (CSR) using the details you provided during checkout.
This process generates both a Private Key and a corresponding Public Key, with the Public Key being embedded within the Certificate Signing Request (CSR). The generation occurs using cryptographically secure random number generation to ensure the uniqueness and security of your credentials. Learn About RSA Encryption Algorithms 🔗
Receiving Your Private Key
During the ordering process, Trustico® delivers an encrypted archive containing your Private Key.
This archive contains only your Private Key, protected using AES-256 encryption. This military-grade encryption standard ensures your Private Key remains secure during transmission. Your SSL Certificate is never bundled with your Private Key, as delivering both together would present a security risk.
Retrieving Your Unlock Code
The code required to open your encrypted archive is available separately within your account when viewing your order details.
This two-channel delivery approach means that even if someone intercepts your e-mail, they cannot access your Private Key without also having access to your Trustico® customer account.
You must log in to your account and navigate to your order details to retrieve the unlock code. View Our AutoCSR File Unlock Code Instructions 🔗
Order Submission and Validation
After the Certificate Signing Request (CSR) is generated, your SSL Certificate request is automatically submitted to the Certificate Authority (CA) for validation and issuance.
The validation process proceeds according to the type of SSL Certificate you purchased, whether Domain Validation (DV), Organisation Validation (OV), or Extended Validation (EV).
You will receive validation instructions via e-mail and should complete any required verification steps promptly to ensure timely issuance. Discover The Validation Procedure 🔗
Receiving Your SSL Certificate
Upon successful validation, your SSL Certificate and any necessary Intermediate Certificates are delivered separately through your Trustico® account.
You will then combine your Private Key from the encrypted archive with your issued SSL Certificate during the installation process on your web server.
Two-Channel Security Delivery
Trustico® employs a two-channel security approach when delivering AutoCSR credentials to protect your sensitive cryptographic material from interception or unauthorised access. This method separates the encrypted archive from the unlock code, requiring access to multiple authenticated systems.
The AutoCSR service generates your Certificate Signing Request (CSR) and Private Key in the same manner that hosting companies worldwide already do for their clients. The critical difference is that Trustico® does not store or retain your Private Key at any time. Once your encrypted Private Key archive has been generated and delivered, no copy remains on any Trustico® system. This approach provides the convenience of automated credential generation while maintaining the security principle that only you should possess your Private Key.
The encrypted archive file is delivered directly to you in ZIP format. This archive contains only your Private Key, protected by AES-256 encryption.
The unlock code required to decrypt this archive is stored securely within your order details on the Trustico® website.
This separation ensures that a compromised e-mail account alone cannot result in exposure of your Private Key, providing an additional layer of security for your SSL Certificate credentials.
Opening the Encrypted Archive
The AutoCSR archive uses AES-256 encryption for security, which provides strong protection but may require specific extraction software depending on your operating system.
Different platforms have varying levels of native support for AES-256 encrypted ZIP files, and you may need to install additional tools to successfully extract your Private Key.
Windows Operating Systems
The built-in Windows extraction utility does not support AES-256 encrypted archives, which means you will need to download and install a compatible extraction tool.
The most commonly recommended free options include 7-Zip and WinRAR, both of which fully support AES-256 encryption and are available for download at no cost.
After installing your chosen tool, right-click the encrypted archive file, select the appropriate extraction option from the context menu, and enter your unlock code when prompted.
The extracted file will be your Private Key, which you will use together with your SSL Certificate during installation.
Mac Operating Systems
Mac users can typically double-click the encrypted archive file and enter the unlock code when prompted by the system.
However, some versions of macOS may not fully support AES-256 encrypted ZIP files through the native Archive Utility.
If you encounter difficulties extracting your Private Key, you can install The Unarchiver application, which is available free of charge from the Mac App Store.
This application provides comprehensive support for encrypted archives and integrates seamlessly with the macOS file management system.
Linux Operating Systems
Most Linux distributions support AES-256 ZIP extraction natively through their file manager applications or command-line tools.
You can use your graphical file manager to extract the archive by double-clicking and entering the unlock code, or you can use the command-line 7z utility.
The command to extract your Private Key is simply "7z x filename.zip" followed by entering your unlock code when prompted.
If your distribution does not include the necessary tools by default, you can install the p7zip package through your distribution's package manager.
Important Security Information
The file you receive through the AutoCSR service contains sensitive cryptographic material required to install and operate your SSL Certificate. The Private Key must be protected carefully, as anyone with access to this file could potentially impersonate your website or decrypt traffic intended for your server.
Store your Private Key in a secure location with restricted access and do not share it with anyone who does not require access to your server administration.
If You Lose Your Credentials
Trustico® does not retain copies of your Private Key after it has been delivered to you.
This security practice ensures that your Private Key exists only in locations you control and cannot be compromised through a breach of external systems.
If you lose your Private Key file or accidentally delete the encrypted archive, you will need to request a Certificate reissuance.
The reissuance process generates a completely new key pair and SSL Certificate, replacing your original credentials with fresh ones. Explore SSL Certificate Reissuance 🔗
Private Key Protection
Without safeguards, your Private Key should never be shared, stored in publicly accessible locations, or transmitted over unencrypted connections.
When installing your SSL Certificate, ensure that file permissions on your Private Key restrict access to only the necessary system accounts.
Many web servers require specific permission settings on Private Key files, typically limiting read access to the root user or the web server process. Failure to properly protect your Private Key could result in security vulnerabilities that compromise the protection provided by your SSL Certificate.
When to Provide Your Own Certificate Signing Request
While the AutoCSR service offers convenience for many customers, generating your own Certificate Signing Request (CSR) directly on your server is the recommended approach for production environments. This ensures your Private Key is created and remains within the secure environment where your SSL Certificate will be installed.
Understanding these scenarios helps you determine the best approach for your specific requirements.
You may prefer to generate your own Certificate Signing Request (CSR) if your hosting provider or IT team requires the Private Key to be generated directly on the server where the SSL Certificate will be installed.
Some organisations have specific security policies governing key generation that mandate the use of particular cryptographic modules or require keys to remain within controlled environments.
If you are using a Hardware Security Module (HSM) for enhanced Private Key protection, you will need to generate your Certificate Signing Request (CSR) through that device rather than using AutoCSR.
If you already have a Certificate Signing Request (CSR) prepared, simply paste it into the Certificate Signing Request (CSR) field during checkout and the AutoCSR service will not be activated.
Your existing Certificate Signing Request (CSR) will be used to process your SSL Certificate order, and you will receive only the issued SSL Certificate and Intermediate Certificates rather than a Private Key package. Learn About How to Generate a Certificate Signing Request (CSR) 🔗
Installation Assistance
If you need help installing your SSL Certificate after receiving your AutoCSR credentials, Trustico® offers comprehensive support resources and professional installation services.
The installation process varies depending on your web server software and hosting environment, but the credentials provided through AutoCSR are compatible with all standard server configurations. Discover SSL Certificate Installation Instructions 🔗
For customers who prefer hands-off installation, Trustico® offers a Premium Installation service where experienced technicians handle the entire installation process on your behalf. This service is particularly valuable for complex server environments, customers with limited technical experience, or situations where you simply want the assurance of professional installation.
The Premium Installation team works directly with your server to ensure your SSL Certificate is correctly configured and functioning properly. View Our Premium Installation Service 🔗
Getting Help
If you have questions about the AutoCSR service or need assistance with any aspect of your SSL Certificate order, the Trustico® support team is available to help. Explore Trustico® Support Resources 🔗
