- Certificate signing request
-
In public key infrastructure (PKI) systems, a certificate signing request (also CSR or certification request) is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate. The most common format for CSRs is the PKCS#10 specification and another is the Signed Public Key and Challenge Spkac format generated by some web browsers.
Contents
CSR Contents
Detailed information on CSR contents is given in the CSR FAQ.
Procedure
Before creating a CSR, the applicant first generates a key pair, keeping the private key secret. The CSR contains information identifying the applicant (such as a distinguished name in the case of an X.509 certificate), and the public key chosen by the applicant. The corresponding private key is not included in the CSR, but is used to digitally sign the entire request. The CSR may be accompanied by other credentials or proofs of identity required by the certificate authority, and the certificate authority may contact the applicant for further information.
Typical information required in a CSR
Information Description Distinguished Name (DN) This is fully qualified domain name that you wish to secure e.g. ‘www.mydomain.com’ or 'mail.mydomain.com'. This includes the Common Name (CN) e.g. 'www' or 'mail'
Business name / Organisation Usually the legal incorporated name of a company and should include any suffixes such as Ltd., Inc., or Corp. Department Name / Organisational Unit e.g. HR, Finance, IT Town/City e.g. London, Paris, New York Province, Region, County or State This should not be abbreviated e.g. Sussex, Normandy, New Jersey
Country The two-letter ISO code for the country where your organization is located e.g. GB, FR or US etc..
An email address An email address to contact the organisation. Usually the email address of the certificate administrator or IT department If the request is successful, the certificate authority will send back an identity certificate that has been digitally signed with the private key of the certificate authority.
CSR Example
The PKCS#10 standard defines a binary format for encoding CSRs for use with X.509. It is expressed in ASN.1. Here is an example of how you can examine its ASN.1 structure using OpenSSL :
openssl asn1parse -in your_requestA CSR may be represented as a Base64 encoded PKCS#10; an example of which is given below:
-----BEGIN CERTIFICATE REQUEST----- MIIBnTCCAQYCAQAwXTELMAkGA1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRIw EAYDVQQDEwlsb2NhbGhvc3QxJzAlBgkqhkiG9w0BCQEWGGFkbWluQHNlcnZlci5l eGFtcGxlLmRvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAr1nYY1Qrll1r uB/FqlCRrr5nvupdIN+3wF7q915tvEQoc74bnu6b8IbbGRMhzdzmvQ4SzFfVEAuM MuTHeybPq5th7YDrTNizKKxOBnqE2KYuX9X22A1Kh49soJJFg6kPb9MUgiZBiMlv tb7K3CHfgw5WagWnLl8Lb+ccvKZZl+8CAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GB AHpoRp5YS55CZpy+wdigQEwjL/wSluvo+WjtpvP0YoBMJu4VMKeZi405R7o8oEwi PdlrrliKNknFmHKIaCKTLRcU59ScA6ADEIWUzqmUzP5Cs6jrSRo3NKfg1bd09D1K 9rsQkRc9Urv9mRBIsredGnYECNeRaK5R1yzpOowninXC -----END CERTIFICATE REQUEST-----
The above certificate signing request's ASN.1 structure (as parsed by openssl) appears as the following:
0:d=0 hl=4 l= 413 cons: SEQUENCE 4:d=1 hl=4 l= 262 cons: SEQUENCE 8:d=2 hl=2 l= 1 prim: INTEGER :00 11:d=2 hl=2 l= 93 cons: SEQUENCE 13:d=3 hl=2 l= 11 cons: SET 15:d=4 hl=2 l= 9 cons: SEQUENCE 17:d=5 hl=2 l= 3 prim: OBJECT :countryName 22:d=5 hl=2 l= 2 prim: PRINTABLESTRING :SG 26:d=3 hl=2 l= 17 cons: SET 28:d=4 hl=2 l= 15 cons: SEQUENCE 30:d=5 hl=2 l= 3 prim: OBJECT :organizationName 35:d=5 hl=2 l= 8 prim: PRINTABLESTRING :M2Crypto 45:d=3 hl=2 l= 18 cons: SET 47:d=4 hl=2 l= 16 cons: SEQUENCE 49:d=5 hl=2 l= 3 prim: OBJECT :commonName 54:d=5 hl=2 l= 9 prim: PRINTABLESTRING :localhost 65:d=3 hl=2 l= 39 cons: SET 67:d=4 hl=2 l= 37 cons: SEQUENCE 69:d=5 hl=2 l= 9 prim: OBJECT :emailAddress 80:d=5 hl=2 l= 24 prim: IA5STRING :admin@server.example.dom 106:d=2 hl=3 l= 159 cons: SEQUENCE 109:d=3 hl=2 l= 13 cons: SEQUENCE 111:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption 122:d=4 hl=2 l= 0 prim: NULL 124:d=3 hl=3 l= 141 prim: BIT STRING 268:d=2 hl=2 l= 0 cons: cont [ 0 ] 270:d=1 hl=2 l= 13 cons: SEQUENCE 272:d=2 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption 283:d=2 hl=2 l= 0 prim: NULL 285:d=1 hl=3 l= 129 prim: BIT STRING(This was generated by supplying the base64 encoding into the command
openssl asn1parse -inform PEM -iwhere PEM stands for Privacy-enhanced mail and describes the encoding of the ASN.1 Distinguished Encoding Rules in base64.)How do you decode your CSR using openssl in Debian/Etch Linux ? Your CSR may contain information (such as a challenge passphrase), that you do not want to send over the Internet to an unknown service. In this case you can decode the content of your CSR by the following openssl command: openssl req -in myreq.pem -noout -text You can check the signature on your CSR by the following openssl command: openssl req -in myreq.pem -noout -text -verify
CSR Decoding Tools
Decoding a CSR using services based on Internet websites is potentially unsecure and is therefore not recommended. You should exercise caution when using this type of service, including any of those listed in the External links section below.
The publicly available OpenSSL service can decode a CSR locally, without transmitting sensitive information over unsecure networks. [1]
Microsoft Windows OS versions newer than XP contain certutil.exe. Older OS versions may be able to install certutil.exe as part of another package, e.g. the Windows 2003 Server Service Pack 1 version of adminpak. The basic command to view the contents of a CSR locally using this tool is certutil.exe -dump filename.csr.
Many other programs that are capable of creating a CSR are also capable of decoding it locally into a human readable format.
Internal Links
- The Spkac CSR, generated by some browsers (Opera, Safari, Firefox) is now part of the html5 spec
External links
- Online CSR Decoder - Decode a certificate signing request (CSR) to check its contents. Uses OpenSSL.
- A CSR FAQ which provides more detailed information.
- Check Your CSR Key Check Your CSR Key.
- CSR Parser / Decoder which decodes your CSR data.
- CSR Decoder and Certificate Decoder - can be used to decode and examine an encoded CSR or certificate.
- SSL Checker - can be used to test a certificate and that it has been installed correctly
- CSR Decoder - can be used to decode and examine an encoded CSR - but not based on OpenSSL.
- CSR Decoder - SSL.nu
- Online CSR checker - Will check that a CSR is valid for submission to a certification authority
- Ajax CSR Decoder - SSLShopper.com
- PKI Widgets - Online tools to generate and decode CSRs and digital certificates
- CSR Creation Tool for Exchange 2007 - DigiCert.com
Online SSL CSR Decoder
Notes
Categories:- Cryptographic protocols
Wikimedia Foundation. 2010.
