Certificate signing request
Encyclopedia
In public key infrastructure
(PKI) systems, a certificate signing request (also CSR or certification request) is a message sent from an applicant to a certificate authority
in order to apply for a digital identity certificate
. The most common format for CSRs is the PKCS#10 specification
and another is the Signed Public Key and Challenge Spkac
format generated by some web browsers.
secret. The CSR contains information identifying the applicant (such as a distinguished name
in the case of an X.509
certificate), and the public key
chosen by the applicant. The corresponding private key is not included in the CSR, but is used to digitally sign
the entire request. The CSR may be accompanied by other credentials or proofs of identity required by the certificate authority, and the certificate authority may contact the applicant for further information.
Typical information required in a CSR
If the request is successful, the certificate authority will send back an identity certificate that has been digitally signed with the private key of the certificate authority.
defines a binary format for encoding CSRs for use with X.509
. It is expressed in ASN.1
. Here is an example of how you can examine its ASN.1 structure using
OpenSSL
:
A CSR may be represented as a Base64
encoded PKCS#10; an example of which is
given below:
The above certificate signing request's ASN.1 structure (as parsed by openssl) appears as the following:
(This was generated by supplying the base64 encoding into the command
and describes the encoding of the ASN.1 Distinguished Encoding Rules
in base64.)
The publicly available OpenSSL service can decode a CSR locally, without transmitting sensitive information over unsecure networks.
Microsoft Windows OS versions newer than XP contain certutil.exe. Older OS versions may be able to install certutil.exe as part of another package, e.g. the Windows 2003 Server Service Pack 1 version of adminpak. The basic command to view the contents of a CSR locally using this tool is certutil.exe -dump filename.csr.
Many other programs that are capable of creating a CSR are also capable of decoding it locally into a human readable format.
Public key infrastructure
Public Key Infrastructure is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate...
(PKI) systems, a certificate signing request (also CSR or certification request) is a message sent from an applicant to a certificate authority
Certificate authority
In cryptography, a certificate authority, or certification authority, is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate...
in order to apply for a digital identity certificate
Public key certificate
In cryptography, a public key certificate is an electronic document which uses a digital signature to bind a public key with an identity — information such as the name of a person or an organization, their address, and so forth...
. The most common format for CSRs is the PKCS#10 specification
PKCS
In cryptography, PKCS refers to a group of public-key cryptography standards devised and published by RSA Security.RSA Data Security Inc was assigned the licensing rights for the patent on the RSA asymmetric key algorithm and acquired the licensing rights to several other key patents as well...
and another is the Signed Public Key and Challenge Spkac
Spkac
SPKAC is an acronym that stands for Signed Public Key and Challenge, also known as Netscape SPKIIt is a format for sending a Certification Signing Request: it encodes a public key, that can be manipulated using openssl...
format generated by some web browsers.
Web browser
A web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier and may be a web page, image, video, or other piece of content...
CSR Contents
Detailed information on CSR contents is given in the CSR FAQ.Procedure
Before creating a CSR, the applicant first generates a key pair, keeping the private keyPublic-key cryptography
Public-key cryptography refers to a cryptographic system requiring two separate keys, one to lock or encrypt the plaintext, and one to unlock or decrypt the cyphertext. Neither key will do both functions. One of these keys is published or public and the other is kept private...
secret. The CSR contains information identifying the applicant (such as a distinguished name
X.500
X.500 is a series of computer networking standards covering electronic directory services. The X.500 series was developed by ITU-T, formerly known as CCITT, and first approved in 1988. The directory services were developed in order to support the requirements of X.400 electronic mail exchange and...
in the case of an X.509
X.509
In cryptography, X.509 is an ITU-T standard for a public key infrastructure and Privilege Management Infrastructure . X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation...
certificate), and the public key
Public-key cryptography
Public-key cryptography refers to a cryptographic system requiring two separate keys, one to lock or encrypt the plaintext, and one to unlock or decrypt the cyphertext. Neither key will do both functions. One of these keys is published or public and the other is kept private...
chosen by the applicant. The corresponding private key is not included in the CSR, but is used to digitally sign
Digital signature
A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit...
the entire request. The CSR may be accompanied by other credentials or proofs of identity required by the certificate authority, and the certificate authority may contact the applicant for further information.
Typical information required in a CSR
| Information | Description |
|---|---|
| Distinguished Name (DN) | This is fully qualified domain name that you wish to secure e.g. ‘www.mydomain.com’ or 'mail.mydomain.com'. This includes the Common Name (CN) e.g. 'www' or 'mail' |
| Business name / Organisation | Usually the legal incorporated name of a company and should include any suffixes such as Ltd., Inc., or Corp. |
| Department Name / Organisational Unit | e.g. HR, Finance, IT |
| Town/City | e.g. London, Paris, New York |
| Province, Region, County or State | This should not be abbreviated e.g. Sussex, Normandy, New Jersey |
| Country | The two-letter ISO code for the country where your organization is located e.g. GB, FR or US etc.. |
| An email address | An email address to contact the organisation. Usually the email address of the certificate administrator or IT department |
If the request is successful, the certificate authority will send back an identity certificate that has been digitally signed with the private key of the certificate authority.
CSR Example
The PKCS#10 standardStandardization
Standardization is the process of developing and implementing technical standards.The goals of standardization can be to help with independence of single suppliers , compatibility, interoperability, safety, repeatability, or quality....
defines a binary format for encoding CSRs for use with X.509
X.509
In cryptography, X.509 is an ITU-T standard for a public key infrastructure and Privilege Management Infrastructure . X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation...
. It is expressed in ASN.1
Abstract Syntax Notation One
Data generated at various sources of observation need to be transmitted to one or more locations that process it to generate useful results. For example, voluminous signal data collected by a radio telescope from outer space. The system recording the data and the system processing it later may be...
. Here is an example of how you can examine its ASN.1 structure using
OpenSSL
OpenSSL
OpenSSL is an open source implementation of the SSL and TLS protocols. The core library implements the basic cryptographic functions and provides various utility functions...
:
openssl asn1parse -in your_requestA CSR may be represented as a Base64
Base64
Base64 is a group of similar encoding schemes that represent binary data in an ASCII string format by translating it into a radix-64 representation...
encoded PKCS#10; an example of which is
given below:
-----BEGIN CERTIFICATE REQUEST-----
MIIBnTCCAQYCAQAwXTELMAkGA1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRIw
EAYDVQQDEwlsb2NhbGhvc3QxJzAlBgkqhkiG9w0BCQEWGGFkbWluQHNlcnZlci5l
eGFtcGxlLmRvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAr1nYY1Qrll1r
uB/FqlCRrr5nvupdIN+3wF7q915tvEQoc74bnu6b8IbbGRMhzdzmvQ4SzFfVEAuM
MuTHeybPq5th7YDrTNizKKxOBnqE2KYuX9X22A1Kh49soJJFg6kPb9MUgiZBiMlv
tb7K3CHfgw5WagWnLl8Lb+ccvKZZl+8CAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GB
AHpoRp5YS55CZpy+wdigQEwjL/wSluvo+WjtpvP0YoBMJu4VMKeZi405R7o8oEwi
PdlrrliKNknFmHKIaCKTLRcU59ScA6ADEIWUzqmUzP5Cs6jrSRo3NKfg1bd09D1K
9rsQkRc9Urv9mRBIsredGnYECNeRaK5R1yzpOowninXC
-----END CERTIFICATE REQUEST-----
The above certificate signing request's ASN.1 structure (as parsed by openssl) appears as the following:
0:d=0 hl=4 l= 413 cons: SEQUENCE
4:d=1 hl=4 l= 262 cons: SEQUENCE
8:d=2 hl=2 l= 1 prim: INTEGER :00
11:d=2 hl=2 l= 93 cons: SEQUENCE
13:d=3 hl=2 l= 11 cons: SET
15:d=4 hl=2 l= 9 cons: SEQUENCE
17:d=5 hl=2 l= 3 prim: OBJECT :countryName
22:d=5 hl=2 l= 2 prim: PRINTABLESTRING :SG
26:d=3 hl=2 l= 17 cons: SET
28:d=4 hl=2 l= 15 cons: SEQUENCE
30:d=5 hl=2 l= 3 prim: OBJECT :organizationName
35:d=5 hl=2 l= 8 prim: PRINTABLESTRING :M2Crypto
45:d=3 hl=2 l= 18 cons: SET
47:d=4 hl=2 l= 16 cons: SEQUENCE
49:d=5 hl=2 l= 3 prim: OBJECT :commonName
54:d=5 hl=2 l= 9 prim: PRINTABLESTRING :localhost
65:d=3 hl=2 l= 39 cons: SET
67:d=4 hl=2 l= 37 cons: SEQUENCE
69:d=5 hl=2 l= 9 prim: OBJECT :emailAddress
80:d=5 hl=2 l= 24 prim: IA5STRING :admin@server.example.dom
106:d=2 hl=3 l= 159 cons: SEQUENCE
109:d=3 hl=2 l= 13 cons: SEQUENCE
111:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
122:d=4 hl=2 l= 0 prim: NULL
124:d=3 hl=3 l= 141 prim: BIT STRING
268:d=2 hl=2 l= 0 cons: cont [ 0 ]
270:d=1 hl=2 l= 13 cons: SEQUENCE
272:d=2 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption
283:d=2 hl=2 l= 0 prim: NULL
285:d=1 hl=3 l= 129 prim: BIT STRING
(This was generated by supplying the base64 encoding into the command
openssl asn1parse -inform PEM -i where PEM stands for Privacy-enhanced mailPrivacy-enhanced Electronic Mail
Privacy Enhanced Mail , is a 1993 IETF proposal for securing email using public-key cryptography. Although PEM became an IETF proposed standard it was never widely deployed or used....
and describes the encoding of the ASN.1 Distinguished Encoding Rules
Distinguished Encoding Rules
Distinguished Encoding Rules , is a message transfer syntax specified by the ITU in X.690. The Distinguished Encoding Rules of ASN.1 is an International Standard drawn from the constraints placed on basic encoding rules encodings by X.509. DER encodings are valid BER encodings...
in base64.)
How do you decode your CSR using openssl in Debian/Etch Linux ?
Your CSR may contain information (such as a challenge passphrase),
that you do not want to send over the Internet to an unknown service.
In this case you can decode the content of your CSR by the
following openssl command:
openssl req -in myreq.pem -noout -text
You can check the signature on your CSR by the following openssl
command:
openssl req -in myreq.pem -noout -text -verify
CSR Decoding Tools
Decoding a CSR using services based on Internet websites is potentially unsecure and is therefore not recommended. You should exercise caution when using this type of service, including any of those listed in the External links section below.The publicly available OpenSSL service can decode a CSR locally, without transmitting sensitive information over unsecure networks.
Microsoft Windows OS versions newer than XP contain certutil.exe. Older OS versions may be able to install certutil.exe as part of another package, e.g. the Windows 2003 Server Service Pack 1 version of adminpak. The basic command to view the contents of a CSR locally using this tool is certutil.exe -dump filename.csr.
Many other programs that are capable of creating a CSR are also capable of decoding it locally into a human readable format.
See also
- SpkacSpkacSPKAC is an acronym that stands for Signed Public Key and Challenge, also known as Netscape SPKIIt is a format for sending a Certification Signing Request: it encodes a public key, that can be manipulated using openssl...
, a CSR generated by some browsers (Opera, Safari, Firefox) which is now part of the HTML 5HTML 5HTML5 is a language for structuring and presenting content for the World Wide Web, and is a core technology of the Internet originally proposed by Opera Software. It is the fifth revision of the HTML standard and is still under development...
spec.
External links
- Online CSR Decoder - Decode a certificate signing request (CSR) to check its contents. Uses OpenSSL.
- A CSR FAQ which provides more detailed information.
- CSR Decoder and Certificate Decoder - can be used to decode and examine an encoded CSR or certificate.
- SSL Checker - can be used to test a certificate and that it has been installed correctly
- CSR Decoder - can be used to decode and examine an encoded CSR - but not based on OpenSSL.
- CSR Decoder - SSL.nu
- Online CSR checker - Will check that a CSR is valid for submission to a certification authority
- PKI Widgets - Online tools to generate and decode CSRs and digital certificates
- CSR Creation Tool for Exchange 2007 - DigiCert.com Online SSL CSR Decoder