 |
del.icio.us |
 |
Digg |
 |
Furl |
 |
|
 |
Rojo |
| Add to OnlyWire |
In public key infrastructure systems, a certificate signing request (also CSR or certification request) is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate. Before creating a CSR, the applicant first generates a key pair, keeping the private key secret. The CSR contains information identifying the applicant (such as a directory name in the case of an X.509 certificate), and the public key chosen by the applicant. The corresponding private key is not included in the CSR, but is used to digitally sign the entire request. The CSR may be accompanied by other credentials or proofs of identity required by the certificate authority, and the certificate authority may contact the applicant for further information.
If the request is successful, the certificate authority will send back an identity certificate that has been digitally signed with the private key of the certificate authority.
The PKCS#10 standard defines a binary format for encoding CSRs for use with X.509. It is expressed in ASN.1. Here is an example of how you can examine its ASN.1 structure using OpenSSL :
openssl asn1parse -in your_request
A CSR may be represented as a Base64 encoded PKCS#10; an example of which is given below:
-----BEGIN CERTIFICATE REQUEST----- MIIBnTCCAQYCAQAwXTELMAkGA1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRIw EAYDVQQDEwlsb2NhbGhvc3QxJzAlBgkqhkiG9w0BCQEWGGFkbWluQHNlcnZlci5l eGFtcGxlLmRvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAr1nYY1Qrll1r uB/FqlCRrr5nvupdIN+3wF7q915tvEQoc74bnu6b8IbbGRMhzdzmvQ4SzFfVEAuM MuTHeybPq5th7YDrTNizKKxOBnqE2KYuX9X22A1Kh49soJJFg6kPb9MUgiZBiMlv tb7K3CHfgw5WagWnLl8Lb+ccvKZZl+8CAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GB AHpoRp5YS55CZpy+wdigQEwjL/wSluvo+WjtpvP0YoBMJu4VMKeZi405R7o8oEwi PdlrrliKNknFmHKIaCKTLRcU59ScA6ADEIWUzqmUzP5Cs6jrSRo3NKfg1bd09D1K 9rsQkRc9Urv9mRBIsredGnYECNeRaK5R1yzpOowninXC -----END CERTIFICATE REQUEST-----
The above certificate's ASN.1 structure (as parsed by openssl) appears as the following:
0:d=0 hl=4 l= 413 cons: SEQUENCE
4:d=1 hl=4 l= 262 cons: SEQUENCE
8:d=2 hl=2 l= 1 prim: INTEGER :00
11:d=2 hl=2 l= 93 cons: SEQUENCE
13:d=3 hl=2 l= 11 cons: SET
15:d=4 hl=2 l= 9 cons: SEQUENCE
17:d=5 hl=2 l= 3 prim: OBJECT :countryName
22:d=5 hl=2 l= 2 prim: PRINTABLESTRING :SG
26:d=3 hl=2 l= 17 cons: SET
28:d=4 hl=2 l= 15 cons: SEQUENCE
30:d=5 hl=2 l= 3 prim: OBJECT :organizationName
35:d=5 hl=2 l= 8 prim: PRINTABLESTRING :M2Crypto
45:d=3 hl=2 l= 18 cons: SET
47:d=4 hl=2 l= 16 cons: SEQUENCE
49:d=5 hl=2 l= 3 prim: OBJECT :commonName
54:d=5 hl=2 l= 9 prim: PRINTABLESTRING :localhost
65:d=3 hl=2 l= 39 cons: SET
67:d=4 hl=2 l= 37 cons: SEQUENCE
69:d=5 hl=2 l= 9 prim: OBJECT :emailAddress
80:d=5 hl=2 l= 24 prim: IA5STRING :admin@server.example.dom
106:d=2 hl=3 l= 159 cons: SEQUENCE
109:d=3 hl=2 l= 13 cons: SEQUENCE
111:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
122:d=4 hl=2 l= 0 prim: NULL
124:d=3 hl=3 l= 141 prim: BIT STRING
268:d=2 hl=2 l= 0 cons: cont [ 0 ]
270:d=1 hl=2 l= 13 cons: SEQUENCE
272:d=2 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption
283:d=2 hl=2 l= 0 prim: NULL
285:d=1 hl=3 l= 129 prim: BIT STRING
(This was generated by supplying the base64 encoding into the command openssl asn1parse -inform PEM -i where PEM stands for Privacy-enhanced mail and describes the encoding of the ASN.1 Distinguished Encoding Rules in base64.)
External links
- CSR Decoder — can be used to decode and examine a Base64 encoded CSR.
- CSR Decoder — Ditto - but not based on OpenSSL.
- CSR Decoder SSL.nu
- Online CSR checker - Will check that a CSR is valid for submission to a certification authority
 |
This cryptography-related article is a stub. You can help Wikipedia by expanding it. |
