SSL certificate maximum validity is being reduced to 200 days from March 2026. Read more →

SSL Certificates

Cheap SSL DV SSL Wildcard SSL Multi-Domain (SAN) OV & EV SSL

Specialty Certificates

Code Signing Document Signing Email / S/MIME VMC / BIMI
In effect now Certificate Lifetime

Automation

Overview Auto DNS FairSSL vs Let's Encrypt

Platforms

Windows Setup Linux & Kubernetes Appliances ACME Clients

Tools

SSL Scanner Certificate Decoder CAA Generator

Guides

Windows Server Linux & Open Source All guides

Company

About Us Contact Installation Service
News

Language

Dansk Svenska English

Currency

Login Create Account

CSR service

Let FairSSL generate your private key and CSR. We generate the key pair on our server and immediately encrypt the private key. The encryption code is sent via SMS to your mobile number. When the certificate is issued, you receive an email to collect your certificate, where you enter the SMS code and download the certificate in multiple formats.

How it works

1

Choose key type

When ordering, you choose a key type: RSA 2048, 3072 or 4096 bit, or EC P-256 or P-384.

2

We generate key + CSR

FairSSL generates a private key in memory and a matching CSR on our secure server.

3

Encryption + SMS

The private key is encrypted immediately. The encryption code is sent via SMS to your mobile number.

4

Certificate is issued

We use your CSR to order the certificate from the CA. Once issued, you receive an email with a link to collect it.

5

Collect your certificate

Enter the SMS code on the collection page and download the certificate in multiple formats, ready for installation.

CSR service

Charged on new purchases and renewals.

€33 excl. VAT

Reissues with new keys are free for the entire order period.

Benefits of the CSR service

Secure key storage

The private key never leaves our encrypted storage until you download it yourself.

SMS password

The password is delivered via SMS, a separate channel from the certificate itself.

Multiple key types

Use the CSR service to easily issue both RSA and ECC versions of your certificate for different servers.

Free reissuance

Reissue with new keys for new servers at no extra cost during the order period.

Key security recommendation

All security recommendations say that the private key should be generated directly on the server or device that will use the certificate. The key should never be copied, exported or transferred between systems. The CSR service is convenient but carries a higher risk than local key generation. If you can generate your own CSR, we recommend it. It is also bad practice to back up certificates and private keys. If you lose a certificate or key, it is better to reissue with a new key pair.

Automatic key generation

Our ACME automation generates keys directly on your servers. No keys transferred, no SMS codes. The highest security.

See ACME automation

Generate your own CSR

We have guides for CSR generation on all platforms: Windows IIS, Apache, Nginx, OpenSSL and more.

See guides

Frequently Asked Questions

Find answers to the most common questions about SSL certificates and FairSSL.

A CSR (Certificate Signing Request) is a file containing your domain details and public key. It is sent to the CA, which uses it to issue your certificate. The CSR is paired with the private key that was generated at the same time.
The CSR service makes it easy to get a key and CSR generated without having to use command-line tools yourself. It can also be used if you need to prepare the certificate before you have access to the server, or if the server makes it difficult to generate keys. Unlike free CSR generators on the internet, you know who we are, and we have a clear incentive to protect your certificate.
It is as secure as we can make it on a system connected to the internet. The private key is generated in memory on a server that cannot be accessed directly from the internet. The key is encrypted with AES-256 before it is stored. The password is generated in memory and sent via SMS to your mobile number. The SMS code is automatically deleted when your phone confirms receipt. The encrypted key is deleted when you download the certificate. You are therefore the only one who can decrypt the key. There is, however, always a higher risk than generating the key directly on the server yourself.
Yes. You can reissue your certificate with a new key type, for example switching from RSA 2048 to EC P-384 or vice versa. Each reissue generates a new key pair and a new CSR.
No. The CSR service is only charged on new purchases or renewals. All reissues during the order period are free, regardless of how many times you reissue with new keys.
RSA with 2048, 3072 or 4096 bits, and ECDSA with curves P-256 and P-384. We recommend EC P-384 or RSA 3072. EC P-384 provides shorter keys and faster TLS handshakes.
We generate SSL key pairs and CSR in memory on a server that has no web server installed and no direct connections from the internet. However, since you will need to collect the certificate later, there will by definition always be a higher risk than if you generated the key directly on your own server.

Ready to create a free account?

Create a free account and issue your first certificate in under 10 minutes.

Create free account Compare certificates