What is a Certificate Signing Request (CSR)?


When requesting a signed certificate, an additional file must be created. This file is called Certificate Signing Request, generated from the Private Key.

See the procedure at signed certificate procedure


This is an electronic document that contains all the essential information:

  • web site name,
  • contact email address
  • and company information.

File format (extension):

Example of screen in a wizard:

Csr Ldap Dn Properties

  • Cryptographic attributes. Bigger bit length takes longer to decode (2048 is a minimum)

Csr Crypto Properties


Generation of a certification request

Openssl creation

openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem
  • One line: certificate and request creation with the req command 1) - PKCS#10 certificate request and certificate generating utility where Distinguished Name is the DN (distinguished Name)
openssl req -new -key server.key.pem -out server.csr
Enter pass phrase for server.key.pem:
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Noord-holland
Locality Name (eg, city) []:Oegstgeest
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Gerardnico.com
Organizational Unit Name (eg, section) []:Secret
Common Name (e.g. server FQDN or YOUR name) []:Nico
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1234
An optional company name []:nico

The csr file is a pkcs#10 format.

cat server.csr

Keytool Creation

with Cryptography - Keytool (Key and Certificate Management Tool)

keytool \
    -certreq \
    -alias privateKeyAliasEntry \
    -keystore keyStoreName.jks \
    -storepass keyStorePwd \
    -file requestFile.csr \
    -keypass keyPassword

Read (Decode)

Csr Portecle Read

openssl req -in server.csr -noout -text


This operation in a certificate issuance procedure would be performed by a trusted ca

Example of signing a certificate signing request with openssl x509 2) command

openssl \
     x509 `# output a certificate`  \
    -req `#input is a certificate request, sign and output` \
    -days 365 `#How long till expiry of a signed certificate - def 30 days` \
    -in client_csr.pem \
    -out client_certificate.pem \
    -CA root_certificate.pem \
    -CAkey root_private_key.pem \
    -set_serial 01 `# to avoid .srl: No such file or directory`

You’ll typically want to increment the serial number with each signing.

Discover More
Cryptography - Keytool (Key and Certificate Management Tool)

keytool is a Key and Certificate Management Tool that comes with the installation of Java where: See ...
Cryptography - PKCS (Public Key Cryptography Standards)

PKCS #X (Public Key Cryptography Standards) are a group of public-key cryptography standards devised and published by RSA Security Inc, starting in the early 1990s. They defined the file format of key...
Cryptography - Storage of key material

This page lists the datastore / file of cryptographic material such as: key LDAP identity certificat signing request and more. Key and key pair file format is the binary...
Certificate Validity Period Not Before Not After Portecle
Cryptography Certificate - How to self-signed a Certificate (for a test or internal server)

When a certificate is used to sign itself, it is called a self signed certificate. All root CA certificates of the certificate chain are self signed. This article shows you how to create a self-signed...
Domain Validate Certificate
Domain Validated Certificates (DV)

Domain Validated certificates are server signed certificates where the ownership of the domain was checked. There is no identifying organizational information for these certificates and thus should never...
Certificate Validity Period Not Before Not After Portecle
How a certificate is signed ? (known also as issuing or producing)

This article talks how a certificate: is send by a sender (known also as the owner) and gets its signature from a trusted ca to validate the identity of the sender. By signing a certificate, the...
400 Default Page No Required Ssl Certificate
How to configure certification based client authentication with Nginx ?

This article shows you how to configure a client authentication via the ownership of a certificat on a Nginx web server. The server should be already configured for HTTPS as client certificate (client...
Web Site Certificate
How to enable SSL on a server (ie HTTPS on a web server) ?

This page shows you how to configure a certificate and a private key for a server in order to enable SSL or a web server (http) (ie web site) in order to enable https (ie HTTP over SSL).
Certificate Validity Period Not Before Not After Portecle
Identification Material - X.509 Certificate (or Public Key Certificate) - Crt

A certificate is a document which permits to define with certainty the owner of the private key (ensures that the party you are communicating with is whom you think.) because it's digitally signed A certificate...
Porte Cle Keystore Pem
Privacy-Enhanced Mail (PEM) (OpenSsh key format)

Privacy-Enhanced Mail (PEM) is a file formats for cryptographic material (key, certificate, ..). The PEM format is the DER format encoded in base64 with additional header and footer lines to be transported...

Share this page:
Follow us:
Task Runner