Should I save Certificate Signing Requests and associated Private Keys?

Question

Ok, so you're purchasing an SSL certificate for your web app. After you create the private key with openssl and you use that to create the certificate signing request, you send the CSR to the certificate issuer and they send you the certificate, right? Now what does one do with the CSR and the associated private key afterwards? Do you keep them or delete them?

Answer 1

The CSR can be deleted. Whenever your certificate expires, you can generate a new CSR.

The private key will be used by your web server along with the certificate to establish the SSL connection. They are used either separately, or together as part of a keystore...it depends on how your web server is configured. You may also need any intermediate CA certs to form the certificate chain that is passed to the client.

You definitely want to keep the private key in a secure location so no one can get to it.

Answer 2

I don't think the CSR is absolutely necessary to keep, but it is a good idea to keep it. The private key you definitely have to keep.