What is a Certificate Signing Request (CSR)?
About
When requesting a signed certificate, an additional file must be created. This file is called Certificate Signing Request, generated from the Private Key.
See the procedure at signed certificate procedure
Structure
This is an electronic document that contains all the essential information:
- web site name,
- contact email address
- and company information.
File format (extension):
Example of screen in a wizard:
- Cryptographic attributes. Bigger bit length takes longer to decode (2048 is a minimum)
Management
Generation of a certification request
Openssl creation
- from a certificate to a CSR
openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem
- One line: certificate and request creation with the req command 1) - PKCS#10 certificate request and certificate generating utility where Distinguished Name is the DN (distinguished Name)
openssl req -new -key server.key.pem -out server.csr
Enter pass phrase for server.key.pem:
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Noord-holland
Locality Name (eg, city) []:Oegstgeest
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Gerardnico.com
Organizational Unit Name (eg, section) []:Secret
Common Name (e.g. server FQDN or YOUR name) []:Nico
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1234
An optional company name []:nico
The csr file is a pkcs#10 format.
cat server.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIB/jCCAWcCAQAwgZMxCzAJBgNVBAYTAk5MMRYwFAYDVQQIDA1Ob29yZC1ob2xs
YW5kMRMwEQYDVQQHDApPZWdzdGdlZXN0MRcwFQYDVQQKDA5HZXJhcmRuaWNvLmNv
bTEPMA0GA1UECwwGU2VjcmV0MQ0wCwYDVQQDDAROaWNvMR4wHAYJKoZIhvcNAQkB
Fg9nbmljb0BnbWFpbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANBN
wGYoOWf8Hh1RhnKj9FDaeUygQDBwCeuk1M4gNMxpoS4HqUHl/6RUraa8mX6hu59i
zRDdR0Y3aW0jePc7qKGBTE3Q01R2llcZr73WqBrmBLc3xh3nx2FnqyCTn6BEWSee
xECM/nrgLAunDW4AjnaEIUViqS2s2lZfscLvNJYXAgMBAAGgKjATBgkqhkiG9w0B
CQIxBgwEbmljbzATBgkqhkiG9w0BCQcxBgwEMTIzNDANBgkqhkiG9w0BAQsFAAOB
gQB6bEyPH9tFSqlhsXXrpmtOTj993OuK2uBOGIrFKkb8nwRCyRh7IzI8vfS2yZA8
ypfl+cQ9/bf/URrbf9hanWPNNZnKHfOFUBV9viXe3E8pMn0dbDiS2rFvYnDS3AMA
T2lU8tTxB69Eqfir0+Z0XOHEuGrBXBgX2c848fYYI+8RIg==
-----END CERTIFICATE REQUEST-----
Keytool Creation
with Cryptography - Keytool (Key and Certificate Management Tool)
keytool \
-certreq \
-alias privateKeyAliasEntry \
-keystore keyStoreName.jks \
-storepass keyStorePwd \
-file requestFile.csr \
-keypass keyPassword
Read (Decode)
- with Portecle
openssl req -in server.csr -noout -text
Sign
This operation in a certificate issuance procedure would be performed by a trusted ca
Example of signing a certificate signing request with openssl x509 2) command
openssl \
x509 `# output a certificate` \
-req `#input is a certificate request, sign and output` \
-days 365 `#How long till expiry of a signed certificate - def 30 days` \
-in client_csr.pem \
-out client_certificate.pem \
-CA root_certificate.pem \
-CAkey root_private_key.pem \
-set_serial 01 `# to avoid .srl: No such file or directory`
You’ll typically want to increment the serial number with each signing.