A certificate signing request (CSR) is a document needed to request a new, valid SSL/TLS certificate from a Certificate Authority (CA). A CSR contains information needed to create an SSL/TRC certificate and is usually sent to the CA by the end user. There are two types of CSRs: private and public. A private CSR is used for self-issued certificates, while a public CSR is used for enterprise CA’s issued certificates to their customers.
Private CSRs are generated on the client’s computer. The private key pair is created on the client’s computer and then signed with the private key. This type of CSR can only be used by one client at a time and it must be passed through two-factor authentication before it can be submitted to a CA.
Public CSRs are generated using OpenSSL on the server. Public CSRs can be used by multiple clients at once since they do not require two-factor authentication. A public CSR can also be generated without private key pair if it is just for testing purposes.