Certificate signing request

From Wikipedia, the free encyclopedia
Jump to: navigation, search

In public key infrastructure (PKI) systems, a certificate signing request (also CSR or certification request) is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate. The most common format for CSRs is the PKCS #10 specification and another is the Signed Public Key and Challenge Spkac format generated by some Web browsers

Procedure[edit]

Before creating a CSR, the applicant first generates a key pair, keeping the private key secret. The CSR contains information identifying the applicant (such as a distinguished name in the case of an X.509 certificate) which must be signed using the applicant's private key. The CSR also contains the public key chosen by the applicant. The CSR may be accompanied by other credentials or proofs of identity required by the certificate authority, and the certificate authority may contact the applicant for further information.

Typical information required in a CSR:

Information Description
Distinguished Name (DN) This is fully qualified domain name that you wish to secure e.g. 'www.example.com’ or 'mail.example.com'. This includes the Common Name (CN) e.g. 'www' or 'mail'
Business name / Organisation Usually the legal incorporated name of a company and should include any suffixes such as Ltd., Inc., or Corp.
Department Name / Organisational Unit e.g. HR, Finance, IT
Town/City e.g. London, Waterford, Paris, New York
Province, Region, County or State This should not be abbreviated e.g. Sussex, Normandy, New Jersey
Country The two-letter ISO code for the country where your organization is located e.g. GB, FR or US etc..
An email address An email address to contact the organisation. Usually the email address of the certificate administrator or IT department

If the request is successful, the certificate authority will send back an identity certificate that has been digitally signed with the private key of the certificate authority.

Example[edit]

The PKCS#10 standard defines a binary format for encoding CSRs for use with X.509. It is expressed in ASN.1. Here is an example of how you can examine its ASN.1 structure using OpenSSL:

openssl asn1parse -in your_request

A CSR may be represented as a Base64 encoded PKCS#10; an example of which is given below:

-----BEGIN CERTIFICATE REQUEST-----
MIIBnTCCAQYCAQAwXTELMAkGA1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRIw
EAYDVQQDEwlsb2NhbGhvc3QxJzAlBgkqhkiG9w0BCQEWGGFkbWluQHNlcnZlci5l
eGFtcGxlLmRvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAr1nYY1Qrll1r
uB/FqlCRrr5nvupdIN+3wF7q915tvEQoc74bnu6b8IbbGRMhzdzmvQ4SzFfVEAuM
MuTHeybPq5th7YDrTNizKKxOBnqE2KYuX9X22A1Kh49soJJFg6kPb9MUgiZBiMlv
tb7K3CHfgw5WagWnLl8Lb+ccvKZZl+8CAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GB
AHpoRp5YS55CZpy+wdigQEwjL/wSluvo+WjtpvP0YoBMJu4VMKeZi405R7o8oEwi
PdlrrliKNknFmHKIaCKTLRcU59ScA6ADEIWUzqmUzP5Cs6jrSRo3NKfg1bd09D1K
9rsQkRc9Urv9mRBIsredGnYECNeRaK5R1yzpOowninXC
-----END CERTIFICATE REQUEST-----

The above certificate signing request's ASN.1 structure (as parsed by openssl) appears as the following:

 0:d=0 hl=4 l= 413 cons: SEQUENCE
 4:d=1 hl=4 l= 262 cons: SEQUENCE
 8:d=2 hl=2 l= 1 prim: INTEGER :00
 11:d=2 hl=2 l= 93 cons: SEQUENCE
 13:d=3 hl=2 l= 11 cons: SET
 15:d=4 hl=2 l= 9 cons: SEQUENCE
 17:d=5 hl=2 l= 3 prim: OBJECT :countryName
 22:d=5 hl=2 l= 2 prim: PRINTABLESTRING :SG
 26:d=3 hl=2 l= 17 cons: SET
 28:d=4 hl=2 l= 15 cons: SEQUENCE
 30:d=5 hl=2 l= 3 prim: OBJECT :organizationName
 35:d=5 hl=2 l= 8 prim: PRINTABLESTRING :M2Crypto
 45:d=3 hl=2 l= 18 cons: SET
 47:d=4 hl=2 l= 16 cons: SEQUENCE
 49:d=5 hl=2 l= 3 prim: OBJECT :commonName
 54:d=5 hl=2 l= 9 prim: PRINTABLESTRING :localhost
 65:d=3 hl=2 l= 39 cons: SET
 67:d=4 hl=2 l= 37 cons: SEQUENCE
 69:d=5 hl=2 l= 9 prim: OBJECT :emailAddress
 80:d=5 hl=2 l= 24 prim: IA5STRING :admin@server.example.dom
 106:d=2 hl=3 l= 159 cons: SEQUENCE
 109:d=3 hl=2 l= 13 cons: SEQUENCE
 111:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
 122:d=4 hl=2 l= 0 prim: NULL
 124:d=3 hl=3 l= 141 prim: BIT STRING
 268:d=2 hl=2 l= 0 cons: cont [ 0 ]
 270:d=1 hl=2 l= 13 cons: SEQUENCE
 272:d=2 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption
 283:d=2 hl=2 l= 0 prim: NULL
 285:d=1 hl=3 l= 129 prim: BIT STRING

This was generated by supplying the base64 encoding into the command openssl asn1parse -in your_request -inform PEM -i where PEM stands for Privacy-enhanced mail and describes the encoding of the ASN.1 Distinguished Encoding Rules in base64.

Tools[edit]

OpenSSL can decode a CSR locally, without transmitting sensitive information over unsecure networks.[1]

Microsoft Windows OS versions newer than XP contain certutil.exe. Older OS versions may be able to install certutil.exe as part of another package, e.g. the Windows 2003 Server Service Pack 1 version of adminpak.

Many other programs that are capable of creating a CSR are also capable of decoding it locally into a human readable format.

See also[edit]

Notes[edit]

External links[edit]