A CSR (Certificate Signing Request) is a message sent by an applicant (or subscriber) in a public key infrastructure to a Certification Authority (CA), requesting the issuance of a public key certificate (digital certificate).
To obtain such certificates, the applicant first generates a key pair, consisting of a public key and a private key, securely storing the private key while including the public key in the CSR submitted to the CA. Once the Certification Authority verifies and approves the request, it issues back a digital certificate for the applicant, digitally signed with the CA's own private key. Aside from public key information, the CSR also includes a "Distinguished Name (DN)" containing structured details such as the organization's formal name and address.
Certification Authorities issuing certificates in response to CSRs can be categorized broadly into two types: public and private.
Public Certification Authorities are recognized official entities whose root certificates (certificates verifying the CA's authenticity) are pre-installed within web browsers, email clients, or other applications, allowing automatic validation of issued certificates. Certificates for publicly accessible servers, such as SSL certificates for Web servers or certificates used in secure external communications, must generally be obtained from a Public Certification Authority.
Private Certification Authorities, by contrast, are operated within individual organizations or enterprises based on their internal operational policies. Certificates issued by private CAs are not publicly recognized as trustworthy by browsers or external systems. For example, a website made public using an SSL certificate issued from a private CA triggers a browser security warning indicating such certificate's lack of public validation. However, private CA-issued client certificates can be effectively deployed for authentication purposes within internal enterprise systems without any practical issues.
Additionally, F5 provides client certificate authentication functionality within its BIG-IP Access Policy Manager (APM), including built-in Private CA functionality to simplify the management and deployment of client certificates.