Certificate signing request

From Wikipedia, the free encyclopedia

Jump to: navigation, search

In public key infrastructure systems, a certificate signing request (also CSR or certification request) is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate. Before creating a CSR, the applicant first generates a key pair, keeping the private key secret. The CSR contains information identifying the applicant (such as a distinguished name in the case of an X.509 certificate), and the public key chosen by the applicant. The corresponding private key is not included in the CSR, but is used to digitally sign the entire request. The CSR may be accompanied by other credentials or proofs of identity required by the certificate authority, and the certificate authority may contact the applicant for further information.

If the request is successful, the certificate authority will send back an identity certificate that has been digitally signed with the private key of the certificate authority.

The PKCS#10 standard defines a binary format for encoding CSRs for use with X.509. It is expressed in ASN.1. Here is an example of how you can examine its ASN.1 structure using OpenSSL :

openssl asn1parse -in your_request

A CSR may be represented as a Base64 encoded PKCS#10; an example of which is given below:

-----BEGIN CERTIFICATE REQUEST-----
MIIBnTCCAQYCAQAwXTELMAkGA1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRIw
EAYDVQQDEwlsb2NhbGhvc3QxJzAlBgkqhkiG9w0BCQEWGGFkbWluQHNlcnZlci5l
eGFtcGxlLmRvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAr1nYY1Qrll1r
uB/FqlCRrr5nvupdIN+3wF7q915tvEQoc74bnu6b8IbbGRMhzdzmvQ4SzFfVEAuM
MuTHeybPq5th7YDrTNizKKxOBnqE2KYuX9X22A1Kh49soJJFg6kPb9MUgiZBiMlv
tb7K3CHfgw5WagWnLl8Lb+ccvKZZl+8CAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GB
AHpoRp5YS55CZpy+wdigQEwjL/wSluvo+WjtpvP0YoBMJu4VMKeZi405R7o8oEwi
PdlrrliKNknFmHKIaCKTLRcU59ScA6ADEIWUzqmUzP5Cs6jrSRo3NKfg1bd09D1K
9rsQkRc9Urv9mRBIsredGnYECNeRaK5R1yzpOowninXC
-----END CERTIFICATE REQUEST-----

The above certificate's ASN.1 structure (as parsed by openssl) appears as the following:

    0:d=0  hl=4 l= 413 cons: SEQUENCE
    4:d=1  hl=4 l= 262 cons:  SEQUENCE
    8:d=2  hl=2 l=   1 prim:   INTEGER           :00
   11:d=2  hl=2 l=  93 cons:   SEQUENCE
   13:d=3  hl=2 l=  11 cons:    SET
   15:d=4  hl=2 l=   9 cons:     SEQUENCE
   17:d=5  hl=2 l=   3 prim:      OBJECT            :countryName
   22:d=5  hl=2 l=   2 prim:      PRINTABLESTRING   :SG
   26:d=3  hl=2 l=  17 cons:    SET
   28:d=4  hl=2 l=  15 cons:     SEQUENCE
   30:d=5  hl=2 l=   3 prim:      OBJECT            :organizationName
   35:d=5  hl=2 l=   8 prim:      PRINTABLESTRING   :M2Crypto
   45:d=3  hl=2 l=  18 cons:    SET
   47:d=4  hl=2 l=  16 cons:     SEQUENCE
   49:d=5  hl=2 l=   3 prim:      OBJECT            :commonName
   54:d=5  hl=2 l=   9 prim:      PRINTABLESTRING   :localhost
   65:d=3  hl=2 l=  39 cons:    SET
   67:d=4  hl=2 l=  37 cons:     SEQUENCE
   69:d=5  hl=2 l=   9 prim:      OBJECT            :emailAddress
   80:d=5  hl=2 l=  24 prim:      IA5STRING         :admin@server.example.dom
  106:d=2  hl=3 l= 159 cons:   SEQUENCE
  109:d=3  hl=2 l=  13 cons:    SEQUENCE
  111:d=4  hl=2 l=   9 prim:     OBJECT            :rsaEncryption
  122:d=4  hl=2 l=   0 prim:     NULL
  124:d=3  hl=3 l= 141 prim:    BIT STRING
  268:d=2  hl=2 l=   0 cons:   cont [ 0 ]
  270:d=1  hl=2 l=  13 cons:  SEQUENCE
  272:d=2  hl=2 l=   9 prim:   OBJECT            :md5WithRSAEncryption
  283:d=2  hl=2 l=   0 prim:   NULL
  285:d=1  hl=3 l= 129 prim:  BIT STRING

(This was generated by supplying the base64 encoding into the command openssl asn1parse -inform PEM -i where PEM stands for Privacy-enhanced mail and describes the encoding of the ASN.1 Distinguished Encoding Rules in base64.)


How to decode your CSR using openssl in Debian/Etch Linux ?

Your CSR may contain information (such as a challenge passphrase),
that you do not want to send over the Internet to an unknown service.

In this case you can decode the content of your CSR by the 
following openssl command:

openssl req -in myreq.pem -noout -text

You can check the signature on your CSR by the following openssl 
command:

openssl req -in myreq.pem -noout -text -verify

CSR Decoding Tools

Decoding a CSR using services based on Internet websites is potentially unsecure and is therefore not recommended. You should exercise caution when using this type of service, including any of those listed in the External links section below. The publicly available OpenSSL service can decode a CSR locally, without transmitting sensitive information over unsecure networks.

[edit] External links


Personal tools
Languages