Thursday, May 12, 2011

What is a CSR (Certificate Signing Request)?

A CSR or Certificate Signing request is a block of encrypted text that is generated on the server that the certificate will be used on. It contains information that will be included in your certificate such as your organization name, common name (domain name), locality, and country. It also contains the public key that will be included in your certificate. A private key is usually created at the same time that you create the CSR.

A certificate authority will use a CSR to create your SSL certificate, but it does not need your private key. You need to keep your private key secret. The certificate created with a particular CSR will only work with the private key that was generated with it. So if you lose the private key, the certificate will no longer work.

Common NameThe fully qualified domain name (FQDN) of your server. This must match exactly what you type in your web browser or you will receive a name mismatch error.*
OrganizationThe legal name of your organization. This should not be abbreviated and should include suffixes such as Inc, Corp, or LLC.Spice Up Your Knowledge Corp.
Organizational UnitThe division of your organization handling the certificate.Information Technology
IT Department
City/LocalityThe city where your organization is located.Chennai
State/County/RegionThe state/region where your organization is located. This shouldn't be abbreviated.TN
CountryThe two-letter ISO code for the country where your organization is location.IN
Email addressAn email address used to contact your

What is a CSR's format?

Most CSRs are created in the Base-64 encoded PEM format. This format includes the "-----BEGIN CERTIFICATE REQUEST-----" and "-----END CERTIFICATE REQUEST-----" lines at the begining and end of the CSR. A PEM format CSR can be opened in a text editor and looks like the following example:


How do I generate a CSR and private key?

You need to generate a CSR and private key on the server that the certificate will be used on, but it is not mandatory. You can follow the below mentioned steps a CSR and private key.

C:\OpenSSL\bin>openssl.exe req -new -keyout srv.key -out srv.csr
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key

writing new private key to 'srv.key'
Enter PEM pass phrase: ******
Verifying - Enter PEM pass phrase: ******

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.

Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:TN
Locality Name (eg, city) []:CHENNAI
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Spice Up Your Knowledge
Organizational Unit Name (eg, section) []:NS
Common Name (eg, YOUR name) []
Email Address []

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:

How to decode a CSR?

You can easily decode your CSR to see what is in it by using our CSR Decoder. In order to decode a CSR on your own machine using OpenSSL, use the following command:

C:\OpenSSL\bin>openssl req -in srv.csr -noout -text
Certificate Request:
      Version: 0 (0x0)
      Subject: C=IN, ST=TN, L=CHENNAI, O=SpiceUp, OU=NS,
              Subject Public Key Info:
                     Public Key Algorithm: rsaEncryption
                           Public-Key: (1024 bit)
                            Exponent: 65537 (0x10001)
                      challengePassword :unable to print attribute
          Signature Algorithm: sha1WithRSAEncryption

Leave your comment below

No comments:

Post a Comment