Private key, CSR, certificate, and chain: the four pieces explained

Setting up HTTPS involves four ideas that sound technical but are easy to separate. MixSSL provides free tools on the public site to generate a CSR, decode files, and download issued certificates from your account.

Private key — keep it secret

The private key is created on your server or in the MixSSL CSR Generator. You must keep this secret. Anyone with the key can impersonate your site. MixSSL never stores your private key.

CSR (Certificate Signing Request)

A CSR is a short request file you send when ordering. It contains your domain name and public key, not the secret key. Generate it on your server with OpenSSL or use the free CSR Generator on MixSSL.

MixSSL CSR Generator page — The CSR Generator builds a signing request and private key in your browser session.

Use the CSR Decoder to inspect a CSR before you paste it into an order.

MixSSL CSR Decoder page — Paste a CSR to read the common name, key size, and additional names.

Certificate (CRT)

After validation, the authority issues your certificate file. Install it on the web server together with your private key. Use the free SSL Decoder to check expiry and domain names on any certificate file.

MixSSL SSL Decoder showing certificate fields — The SSL Decoder reads expiry, issuer, and subject alternative names.

Intermediate / CA chain

Browsers trust your certificate only when intermediate “chain” files link it to a root authority. Without the chain, visitors may see warnings even when your certificate is valid. After issuance, download the Intermediate CA and All files links from your account.

Active order download links in customer account — Download certificate, intermediate CA, and ZIP bundle from /office when status is **Active**.

Getting help

Questions about CSR format or file types? Use the contact form on the MixSSL website.