# GenerateCSR()

Generates a Certificate Signing Request (CSR) — a message you send to a Certificate Authority (like Let's Encrypt) to request an SSL/TLS certificate.

Returns a PEM-encoded string.

**Requires Extension:** [Crypto Extension](https://download.lucee.org/#17AB52DE-B300-A94B-E058FC978BE4542D)

```
GenerateCSR( keyPair=struct, subject=string, options=struct );
```

**Returns:** string

# Arguments

| Argument | Type | Required | Description | Default |
|----------|------|----------|-------------|---------|
| keyPair | struct | Yes | Key pair struct from GenerateKeyPair() with 'private' and 'public' keys. The public key is embedded in the CSR, the private key signs it. |  |
| subject | string | Yes | X.500 distinguished name (e.g. "CN=example.com,O=My Org,C=AU") |  |
| options | struct | No | Optional struct: sans (array of DNS names for Subject Alternative Names), algorithm (signature algorithm, auto-detected from key type if omitted) |  |

# Examples

```cfml
// Generate a Certificate Signing Request (CSR) to submit to a Certificate Authority
// This is the standard workflow: generate key pair -> create CSR -> submit to CA
keyPair = GenerateKeyPair( "RSA-2048" );
csr = GenerateCSR( keyPair, "CN=example.com, O=My Company, C=AU" );
// csr is a PEM string: "-----BEGIN CERTIFICATE REQUEST-----\n..."

// Include Subject Alternative Names (SANs) for multiple domains
csr = GenerateCSR( keyPair, "CN=example.com", {
	sans: [ "example.com", "www.example.com", "api.example.com" ]
});

// Works with EC keys
ecKeyPair = GenerateKeyPair( "P-256" );
csr = GenerateCSR( ecKeyPair, "CN=ec-test.example.com" );

// Works with Ed25519 keys
edKeyPair = GenerateKeyPair( "Ed25519" );
csr = GenerateCSR( edKeyPair, "CN=ed25519.example.com" );
```







# Categories

[Cryptography](../../categories/crypto.md)

# See Also

[GenerateKeyPair()](generatekeypair.md), [GenerateSelfSignedCertificate()](generateselfsignedcertificate.md)