Skip to content

Certificate Signing Request (CSR) workflow

A Certificate Signing Request (CSR) is a message sent to a Certificate Authority (CA) to apply for a digital identity certificate^[600-developer__tools__security__CA.md]. Within the X.509 framework, the CSR file serves as the primary vehicle for an entity to transmit its public key and identifying information to the CA for validation^[600-developer__tools__security__CA.md].

The workflow described here primarily utilizes openssl, a standard tool for managing these operations.

Workflow overview

The process of obtaining a signed certificate typically involves three main stages: generating a key pair, creating the CSR, and having the CSR signed by a CA^[600-developer__tools__security__CA.md].

1. Generating the Private Key

Before a request can be created, the applicant must generate a private key^[600-developer__tools__security__CA.md]。

For example, to generate a 2048-bit RSA private key, the following command is used^[600-developer__tools__security__CA.md]:

openssl genrsa -out ca.key 2048
  • -out ca.key: Specifies the filename for the generated private key.
  • 2048: Specifies the key length in bits.

Password Protection While generating the key, you may choose to encrypt it with a password (e.g., using the -des3 flag). This adds a layer of security but requires a password to be entered whenever the key is used^[600-developer__tools__security__CA.md]。

openssl genrsa -des3 -out ca-des3.key 2048

2. Creating the CSR (Certificate Request)

Once the private key exists, the CSR is generated using the req command^[600-developer__tools__security__CA.md]。This command creates a file containing the certificate request information, which effectively acts as a formal application to the CA^[600-developer__tools__security__CA.md]。

For example, to generate a self-signed X.509 certificate (which creates a certificate and request structure simultaneously in some workflows, often used for Root CAs)^[600-developer__tools__security__CA.md]:

openssl req -x509 -key ca.key -out ca.crt -days 3650

In a standard CA workflow (where the request is sent to an external authority), the command might look like:

openssl req -new -key server.key -out server.csr

Key Parameters * -req: Invokes the certificate signing request utility^[600-developer__tools__security__CA.md]。 * -new: Indicates a new request is being created. * -key <filename>: Specifies the private key to use (must correspond to the public key being submitted). * -out <filename>: Specifies the output file for the CSR. * -x509: Used to output a Self-Signed Certificate instead of a request (common when establishing a Root CA). * -days <n>: Sets the validity period of the certificate (if outputting a certificate).

Distinguished Name (DN) Input During execution, the system will prompt for a Distinguished Name (DN)^[600-developer__tools__security__CA.md]。This information identifies the entity applying for the certificate^[600-developer__tools__security__CA.md]。Common fields include:

  • Country Name (C): 2-letter country code^[600-developer__tools__security__CA.md]。
  • State or Province Name (ST): Full name of the state or province^[600-developer__tools__security__CA.md]。
  • Locality Name (L): The city^[600-developer__tools__security__CA.md]。
  • Organization Name (O): The company name^[600-developer__tools__security__CA.md]。
  • Organizational Unit Name (OU): The department or section (e.g., 'dev')^[600-developer__tools__security__CA.md]。
  • Common Name (CN): The fully qualified domain name (FQDN) or the server's name^[600-developer__tools__security__CA.md]。
  • Email Address: Contact email^[600-developer__tools__security__CA.md]。

3. Signing the CSR

If you are running your own Certificate Authority, you will sign the CSR to issue the certificate.

The openssl ca command is used to act as the Certificate Authority and sign the request^[600-developer__tools__security__CA.md]。

openssl ca -in tempreq.pem -out server_crt.pem
  • -in tempreq.pem: The input CSR file.
  • -out server_crt.pem: The output signed certificate file.

Verification After receiving or generating the certificate, it is best practice to verify its details^[600-developer__tools__security__CA.md]。You can read the certificate data to ensure it matches the request and contains the correct validity period and extensions^[600-developer__tools__security__CA.md]。

openssl x509 -in ca.crt -text -noout
  • [[流程化筆記]]
  • [[X.509]]

Sources

^[600-developer__tools__security__CA.md]