There are many reasons why a CSR may be invalid. When you create the CSR make sure:
1. Your domain is hosted. This should not be intranet site.
2. Check the common name field. You may have specified an IP address (e.g. 22.214.171.124) or a server name (e.g. mywebserver) instead of a Fully Qualified Domain Name such as www.mydomain.com or domain name such as mydomain.com. You must specify a Fully Qualified Domain Name or domain name.
3. Make sure you did not use any special characters when filling in the information required for CSR generation. Special characters are [! @ # $ % ^ ( ) ~ ? > < & / , . ” ‘ _]
4. Check the country field. If you are located in the United Kingdom, do not specify your country code when generating the CSR as “UK”.It must be “GB”.
5. Make sure you have included the header and footer of the CSR into the enrollment form. The header and footer will look like:—BEGIN CERTIFICATE REQUEST—
—END CERTIFICATE REQUEST—
6. Make sure that there are 5 dashes on each side of Begin and End certificate request. There should also be no trailing spaces in the CSR.