• Home
• Services
• About us
• Articles
• Utilities
• Contact us

 

Certificate Signing Request

What is a Certificate Signing Request (CSR)?

A CSR (also certification request) is a message sent to a certification authority to request an X.509 public key certificate. A CSR consists of a distinguished name, a public key, an optional set of attributes, an algorithm identifier and a digital signature. The optional attributes can be used to request that additional attributes are included in the certificate, for example an email address. The CSR is signed by the entity requesting the certificate using the private key corresponding to the public key in the request. The certification authority examines the CSR, which it considers to be a wish list from the requesting entity. If the request is inline with the CA's policy or it can be modified to bring it inline, the CA will issue a certificate for the requesting entity. Once issued the certificate is sent to the requesting entity and/or a certificate repository such as an LDAP directory.

What does a CSR look like?

The PKCS#10 standard describes a CSR. It is possible to encode a CSR in a number of ways including binary and text formats.

Binary Format

The binary encoded CSR is also known as the ASN.1 or DER encoded CSR. If you open a binary encoded CSR in a text editor you will see lots of strange looking characters.

Text Format

The text format (also known as PEM) contains the same data as the binary format but it is encoded using Base-64 and includes additional header and footer lines. This text format can be read using a text editor. Below is an example of a text format CSR. You can use our CSR Decoder utility to decode the CSR and display the information contained within it.

-----BEGIN CERTIFICATE REQUEST-----
MIIBozCCAQwCAQAwYzELMAkGA1UEBhMCZ2IxDzANBgNVBAgTBnN0YWZmczEOMAwG
A1UEBxMFc3Rva2UxFTATBgNVBAoTDENTUiBEZWNvZGVyczEcMBoGA1UEAxMTd3d3
LmRlY29kZWNzci5jby51azCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzrUU
2GDhmYUY7qJ/UgUanDOF7ou9PG9xyng1du/Cbj1T6Sq48GnChgfAy9p/VwVOW4RA
393vMM6ewfUx18S9Um3V0LZ4m4a2Qyn5ZQAO2lwVmtKFDkFjnn6NndyC1xtB9kQg
TU4mne4cvvHuxxDTssdjiu0qFRFwqA5NST32r4ECAwEAAaAAMA0GCSqGSIb3DQEB
BQUAA4GBADaragMxUdVEpATqDSGj2twASbCloT5OdeSjE2/dha+6nSTe8mN/7ALD
E2gtYXyfY1xebfxbMzddKkl/OTRyBnBS1VemuG5XzUkU9b1dCoV6dcxGVb0K0Z9D
4d5P9aqq//WHGKIwDsfut4gAAjrOshLlw6b4eFLacuRLRVuw+qBE
-----END CERTIFICATE REQUEST-----

How do I generate a Certificate Signing Request using OpenSSL?

The command line below shows how to generate a CSR using OpenSSL. After providing OpenSSL with information about the certificate you will end up two files: a new private key called server.key and a certificate request called server.csr.

openssl req -new -newkey rsa:1024 -nodes -keyout server.key -out server.csr

How can I decode a Certificate Signing Request?

We've written a web based CSR Decoder tool that decodes CSRs online. If your CSR contains information that you do not want to send over the Internet (such as a challenge passphrase) , you can decode a CSR locally on your own machine using the following OpenSSL command:

openssl req -in myreq.pem -noout -text

Red Kestrel Consulting Limited | email: | tel: 01782 643438 | Valid XHTML and CSS