SMIMES S/MIME guides for Apple and beyond Get SMIME Toolkit

Certificate requests

What Is a CSR for an Email Certificate?

Learn what a certificate signing request is, what information it contains, how it fits into S/MIME certificate issuance, and why a CSR is not the final certificate.

Learn 4 min read Updated 2026-03-15

Apple-focused shortcut

Need the easiest Apple-focused workflow?

Learn the concepts here, then use SMIME Toolkit to generate keys on-device, build the CSR, export a .p12 identity, and complete the manual Apple setup path.

Get SMIME Toolkit on the App Store Open the app landing page Continue to SMIME Toolkit

A CSR, or certificate signing request, is the structured request you send to a certificate authority or issuing service when you want a certificate. In S/MIME workflows, it is one of the most important concepts to understand because people often confuse it with the certificate itself.

The short definition

A CSR is a request that says:

  • here is my public key
  • here is the identity information that should be bound to it
  • please issue a certificate if this request satisfies policy

That is all. A CSR is not proof that the certificate was issued. It is only the request.

Why a CSR exists at all

The issuing system needs a clean way to receive:

  • the public key that should appear in the certificate
  • identifying information such as an email address
  • a cryptographic proof that the request corresponds to the matching private key

The CSR solves that problem by packaging the relevant information in a standard format.

What is typically inside a CSR

A CSR commonly includes:

  • the public key
  • identifying subject information
  • extension requests such as email address handling
  • a signature created with the matching private key

The important detail is that the CSR includes the public side of the key relationship and is signed in a way that demonstrates possession of the corresponding private key. The private key itself is not supposed to be embedded in the CSR.

Why S/MIME users should care

In an S/MIME workflow, the CSR is the bridge between key generation and certificate issuance.

The usual flow is:

  1. generate a key pair
  2. build the CSR
  3. send the CSR to the issuer
  4. receive the signed certificate
  5. package the usable identity for installation, often as a .p12

If you skip understanding the CSR step, later trust and identity problems are harder to reason about because you no longer know where the certificate data actually came from.

A CSR is not the final certificate

This distinction matters enough to state twice:

  • the CSR is the request
  • the certificate is the issuer’s signed response

Until the issuer returns the certificate, there is no final signed identity to install.

Users who are new to S/MIME sometimes ask where they can “import the CSR into Mail.” That question usually indicates a category error. Mail clients generally need the final certificate identity, not the raw request.

Why subjectAltName matters

Modern S/MIME certificate workflows often rely on the email address appearing correctly in the certificate data, which is one reason the CSR must be assembled carefully. The specific field many readers run into is subjectAltName, often shortened to SAN.

If the email address handling in the CSR or issued certificate is wrong, later client behavior can become unpredictable. That topic is explained in What subjectAltName Means in Email Certificates.

What can go wrong at the CSR stage

Several problems often start here:

  • the wrong email address is requested
  • the key pair and CSR do not match the expected workflow
  • the issuing service expects certain attributes or policy fields
  • the request is generated on one system but installed on another in a way that breaks the identity pairing

This is one reason an Apple-focused helper app can be useful. If a user is trying to generate keys on-device and proceed into certificate issuance cleanly, a guided CSR step can reduce avoidable mistakes. That is part of the value proposition explained on the app page.

Why admins also care about CSRs

For administrators and small business teams, the CSR stage matters because it sits near the policy boundary. It is where you can enforce:

  • identity conventions
  • approved algorithms
  • required email address values
  • expected certificate extensions

That makes the CSR not just a technical detail, but a control point in the broader S/MIME lifecycle.

When to move on from the CSR concept

Once you understand that a CSR is a formal request and not the final certificate, the next useful articles are:

Apple-focused shortcut

Ready to move from theory to setup?

If you are working through S/MIME on iPhone or iPad, use the app-specific workflow and Apple guides next.

iPhone and iPad setup guide View the app page Open App Store

Next reads

Continue through the cluster