Cryptography - Certificate Signing Request

About

When requesting a signed certificate, an additional file must be created. This file is called Certificate Signing Request, generated from the Private Key.

See the procedure at signed certificate procedure

Structure

This is an electronic document that contains all the essential information:

  • web site name,
  • contact email address
  • and company information.

File format (extension):

Example of screen in a wizard:

Csr Ldap Dn Properties

  • Cryptographic attributes. Bigger bit length takes longer to decode (2048 is a minimum)

Csr Crypto Properties

Management

Generation of a certification request

Openssl creation

openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem
  • One line: certificate and request creation with the req command 1) - PKCS#10 certificate request and certificate generating utility where Distinguished Name is the DN (distinguished Name)
openssl req -new -key server.key.pem -out server.csr

Enter pass phrase for server.key.pem:
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Noord-holland
Locality Name (eg, city) []:Oegstgeest
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Gerardnico.com
Organizational Unit Name (eg, section) []:Secret
Common Name (e.g. server FQDN or YOUR name) []:Nico
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1234
An optional company name []:nico

The csr file is a pkcs#10 format. 

cat server.csr

-----BEGIN CERTIFICATE REQUEST-----
MIIB/jCCAWcCAQAwgZMxCzAJBgNVBAYTAk5MMRYwFAYDVQQIDA1Ob29yZC1ob2xs
YW5kMRMwEQYDVQQHDApPZWdzdGdlZXN0MRcwFQYDVQQKDA5HZXJhcmRuaWNvLmNv
bTEPMA0GA1UECwwGU2VjcmV0MQ0wCwYDVQQDDAROaWNvMR4wHAYJKoZIhvcNAQkB
Fg9nbmljb0BnbWFpbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANBN
wGYoOWf8Hh1RhnKj9FDaeUygQDBwCeuk1M4gNMxpoS4HqUHl/6RUraa8mX6hu59i
zRDdR0Y3aW0jePc7qKGBTE3Q01R2llcZr73WqBrmBLc3xh3nx2FnqyCTn6BEWSee
xECM/nrgLAunDW4AjnaEIUViqS2s2lZfscLvNJYXAgMBAAGgKjATBgkqhkiG9w0B
CQIxBgwEbmljbzATBgkqhkiG9w0BCQcxBgwEMTIzNDANBgkqhkiG9w0BAQsFAAOB
gQB6bEyPH9tFSqlhsXXrpmtOTj993OuK2uBOGIrFKkb8nwRCyRh7IzI8vfS2yZA8
ypfl+cQ9/bf/URrbf9hanWPNNZnKHfOFUBV9viXe3E8pMn0dbDiS2rFvYnDS3AMA
T2lU8tTxB69Eqfir0+Z0XOHEuGrBXBgX2c848fYYI+8RIg==
-----END CERTIFICATE REQUEST-----

Keytool Creation

with Cryptography - Keytool (Key and Certificate Management Tool) 

keytool \
    -certreq \
    -alias privateKeyAliasEntry \
    -keystore keyStoreName.jks \
    -storepass keyStorePwd \
    -file requestFile.csr \
    -keypass keyPassword

Read (Decode)

Csr Portecle Read

  • openssl
openssl req -in server.csr -noout -text

Sign

This operation in a certificate issuance procedure would be performed by a trusted ca

Example of signing a certificate signing request with openssl x509 2) command 

openssl \
     x509 `# output a certificate`  \
    -req `#input is a certificate request, sign and output` \
    -days 365 `#How long till expiry of a signed certificate - def 30 days` \
    -in client_csr.pem \
    -out client_certificate.pem \
    -CA root_certificate.pem \
    -CAkey root_private_key.pem \
    -set_serial 01 `# to avoid .srl: No such file or directory`

You’ll typically want to increment the serial number with each signing.

1)
https://www.openssl.org/docs/man1.0.2/man1/openssl-req.html
2)
openssl-x509




Discover More
Cryptography - Keytool (Key and Certificate Management Tool)

keytool is a Key and Certificate Management Tool that comes with the installation of Java where: See ...
Cryptography - PKCS (Public Key Cryptography Standards)

PKCS #X (Public Key Cryptography Standards) are a group of public-key cryptography standards devised and published by RSA Security Inc, starting in the early 1990s. They defined the file format of key...
Cryptography - Storage of key material

This page lists the datastore / file of cryptographic material such as: key LDAP identity certificat signing request and more. Key and key pair file format is the binary...
Certificate Validity Period Not Before Not After Portecle
Cryptography Certificate - How to self-signed a Certificate (for a test or internal server)

When a certificate is used to sign itself, it is called a self signed certificate. All root CA certificates of the certificate chain are self signed. This article shows you how to create a self-signed...
Domain Validate Certificate
Domain Validated Certificates (DV)

Domain Validated certificates are server signed certificates where the ownership of the domain was checked. There is no identifying organizational information for these certificates and thus should never...
Certificate Validity Period Not Before Not After Portecle
How a certificate is signed ? (known also as issuing or producing)

This article talks how a certificate: is send by a sender (known also as the owner) and gets its signature from a trusted ca to validate the identity of the sender. By signing a certificate, the...
400 Default Page No Required Ssl Certificate
How to configure certification based client authentication with Nginx ?

This article shows you how to configure a client authentication via the ownership of a certificat on a Nginx web server. The server should be already configured for HTTPS as client certificate (client...
Web Site Certificate
How to enable SSL on a server (ie HTTPS on a web server) ?

This page shows you how to configure a certificate and a private key for a server in order to enable SSL or a web server (http) (ie web site) in order to enable https (ie HTTP over SSL).
Certificate Validity Period Not Before Not After Portecle
Identification Material - Certificate (or Public Key Certificate)

A certificate is a document which permits to define with certainty the owner of the private key (ensures that the party you are communicating with is whom you think.) because it's digitally signed A certificate...
Porte Cle Keystore Pem
Privacy-Enhanced Mail (PEM) (OpenSsh key format)

Privacy-Enhanced Mail (PEM) is a file formats for cryptographic material (key, certificate, ..). The PEM format is the DER format encoded in base64 with additional header and footer lines to be transported...



Share this page:
Follow us:
Task Runner