Cryptography - Certificate Signing Request

> Software Security > Cryptography - Key

1 - About

When requesting a signed certificate, an additional file must be created. This file is called Certificate Signing Request, generated from the Private Key.

See the procedure at signed certificate procedure

Advertising

3 - Structure

This is an electronic document that contains all the essential information:

  • web site name,
  • contact email address
  • and company information.

File format (extension):

Example of screen in a wizard:

  • Cryptographic attributes. Bigger bit length takes longer to decode.

4 - Management

4.1 - Generation of a certification request

4.1.1 - Openssl creation

req - PKCS#10 certificate request and certificate generating utility - Doc

openssl req -new -key server.key.pem -out server.csr
Enter pass phrase for server.key.pem:
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Noord-holland
Locality Name (eg, city) []:Oegstgeest
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Gerardnico.com
Organizational Unit Name (eg, section) []:Secret
Common Name (e.g. server FQDN or YOUR name) []:Nico
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1234
An optional company name []:nico
  • The csr file is a pkcs#10 format.
cat server.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIB/jCCAWcCAQAwgZMxCzAJBgNVBAYTAk5MMRYwFAYDVQQIDA1Ob29yZC1ob2xs
YW5kMRMwEQYDVQQHDApPZWdzdGdlZXN0MRcwFQYDVQQKDA5HZXJhcmRuaWNvLmNv
bTEPMA0GA1UECwwGU2VjcmV0MQ0wCwYDVQQDDAROaWNvMR4wHAYJKoZIhvcNAQkB
Fg9nbmljb0BnbWFpbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANBN
wGYoOWf8Hh1RhnKj9FDaeUygQDBwCeuk1M4gNMxpoS4HqUHl/6RUraa8mX6hu59i
zRDdR0Y3aW0jePc7qKGBTE3Q01R2llcZr73WqBrmBLc3xh3nx2FnqyCTn6BEWSee
xECM/nrgLAunDW4AjnaEIUViqS2s2lZfscLvNJYXAgMBAAGgKjATBgkqhkiG9w0B
CQIxBgwEbmljbzATBgkqhkiG9w0BCQcxBgwEMTIzNDANBgkqhkiG9w0BAQsFAAOB
gQB6bEyPH9tFSqlhsXXrpmtOTj993OuK2uBOGIrFKkb8nwRCyRh7IzI8vfS2yZA8
ypfl+cQ9/bf/URrbf9hanWPNNZnKHfOFUBV9viXe3E8pMn0dbDiS2rFvYnDS3AMA
T2lU8tTxB69Eqfir0+Z0XOHEuGrBXBgX2c848fYYI+8RIg==
-----END CERTIFICATE REQUEST-----
Advertising

4.1.2 - Keytool Creation

with Cryptography - Keytool (Key and Certificate Management Tool)

keytool \
    -certreq \
    -alias privateKeyAliasEntry \
    -keystore keyStoreName.jks \
    -storepass keyStorePwd \
    -file requestFile.csr \
    -keypass keyPassword

4.2 - Read (Decode)

  • openssl
openssl req -in server.csr -noout -text