Thursday, May 12, 2011

What is a CSR (Certificate Signing Request)?


A CSR or Certificate Signing request is a block of encrypted text that is generated on the server that the certificate will be used on. It contains information that will be included in your certificate such as your organization name, common name (domain name), locality, and country. It also contains the public key that will be included in your certificate. A private key is usually created at the same time that you create the CSR.

A certificate authority will use a CSR to create your SSL certificate, but it does not need your private key. You need to keep your private key secret. The certificate created with a particular CSR will only work with the private key that was generated with it. So if you lose the private key, the certificate will no longer work.


NAMEEXPLANATIONEXAMPLES
Common NameThe fully qualified domain name (FQDN) of your server. This must match exactly what you type in your web browser or you will receive a name mismatch error.*.spiceupyourknowledge.net
www.spiceupyourknowledge.net
OrganizationThe legal name of your organization. This should not be abbreviated and should include suffixes such as Inc, Corp, or LLC.Spice Up Your Knowledge Corp.
Organizational UnitThe division of your organization handling the certificate.Information Technology
IT Department
City/LocalityThe city where your organization is located.Chennai
State/County/RegionThe state/region where your organization is located. This shouldn't be abbreviated.TN
CountryThe two-letter ISO code for the country where your organization is location.IN
Email addressAn email address used to contact your organization.spiceupyourknowledge@gmail.com


What is a CSR's format?

Most CSRs are created in the Base-64 encoded PEM format. This format includes the "-----BEGIN CERTIFICATE REQUEST-----" and "-----END CERTIFICATE REQUEST-----" lines at the begining and end of the CSR. A PEM format CSR can be opened in a text editor and looks like the following example:

-----BEGIN CERTIFICATE REQUEST-----
MIIB6jCCAVMCAQAwgZIxCzAJBgNVBAYTAklOMQswCQYDVQQIDAJUTjEQMA4GA1UE
BwwHQ0hFTk5BSTEQMA4GA1UECgwHU3BpY2VVcDELMAkGA1UECwwCTlMxGzAZBgNV
BAMMEnd3dy5zcGljZXVwLm5ldC5pbjEoMCYGCSqGSIb3DQEJARYZc3BpY2V1cC5p
bmZvdGVjQGdtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2E1V
BSt5NChdnhSJYK0yJVzgU/3GAT9Dyktxrm8LVFZfy7bjgD5jhAN50Cw1SxmESqvk
4mGSIfedzai+yjz1ixJnFS26nhemuSIZsNLh0oEYCxDzkApNZ5fSVHxkAKf/76C+
pbo6BW3s9HXqlGca9A0fPZl4Md9+wd7i7hv40RUCAwEAAaAXMBUGCSqGSIb3DQEJ
BzEIDAYxMjM0NTYwDQYJKoZIhvcNAQEFBQADgYEAgsa3KnbNYXLwEWP4KYRqu+dc
x5vvmV5oZ7zIyFDXOfq1xI7YWHlLr4Q0gpnY0XF+aVa/77LIZEzQeb9Px1EKSLnn
aX4YqZ9xPC4bknlavMofl3RPZTILbU6/PVuMqWpgBANro4aLNno1dza3cTrassXP
2xM4EIH2qOmLF3f4vl4=
-----END CERTIFICATE REQUEST-----


How do I generate a CSR and private key?

You need to generate a CSR and private key on the server that the certificate will be used on, but it is not mandatory. You can follow the below mentioned steps a CSR and private key.

C:\OpenSSL\bin>openssl.exe req -new -keyout srv.key -out srv.csr
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
........................................................................++++++

writing new private key to 'srv.key'
Enter PEM pass phrase: ******
Verifying - Enter PEM pass phrase: ******

-----
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.
-----

Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:TN
Locality Name (eg, city) []:CHENNAI
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Spice Up Your Knowledge
Organizational Unit Name (eg, section) []:NS
Common Name (eg, YOUR name) []:www.spiceupyourknowledge.net
Email Address []:spiceupyourknowledge@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:


How to decode a CSR?

You can easily decode your CSR to see what is in it by using our CSR Decoder. In order to decode a CSR on your own machine using OpenSSL, use the following command:

C:\OpenSSL\bin>openssl req -in srv.csr -noout -text
Certificate Request:
Data:
      Version: 0 (0x0)
      Subject: C=IN, ST=TN, L=CHENNAI, O=SpiceUp, OU=NS, CN=www.spiceupyourknowledge.net
/emailAddress=spiceupyourknowledge@gmail.com
              Subject Public Key Info:
                     Public Key Algorithm: rsaEncryption
                           Public-Key: (1024 bit)
                           Modulus:
                                    00:d8:4d:55:05:2b:79:34:28:5d:9e:14:89:60:ad:
                                    32:25:5c:e0:53:fd:c6:01:3f:43:ca:4b:71:ae:6f:
                                    0b:54:56:5f:cb:b6:e3:80:3e:63:84:03:79:d0:2c:
                                    35:4b:19:84:4a:ab:e4:e2:61:92:21:f7:9d:cd:a8:
                                    be:ca:3c:f5:8b:12:67:15:2d:ba:9e:17:a6:b9:22:
                                    19:b0:d2:e1:d2:81:18:0b:10:f3:90:0a:4d:67:97:
                                    d2:54:7c:64:00:a7:ff:ef:a0:be:a5:ba:3a:05:6d:
                                    ec:f4:75:ea:94:67:1a:f4:0d:1f:3d:99:78:31:df:
                                    7e:c1:de:e2:ee:1b:f8:d1:15
                            Exponent: 65537 (0x10001)
                Attributes:
                      challengePassword :unable to print attribute
          Signature Algorithm: sha1WithRSAEncryption
                 82:c6:b7:2a:76:cd:61:72:f0:11:63:f8:29:84:6a:bb:e7:5c:
                 c7:9b:ef:99:5e:68:67:bc:c8:c8:50:d7:39:fa:b5:c4:8e:d8:
                 58:79:4b:af:84:34:82:99:d8:d1:71:7e:69:56:bf:ef:b2:c8:
                 64:4c:d0:79:bf:4f:c7:51:0a:48:b9:e7:69:7e:18:a9:9f:71:
                 3c:2e:1b:92:79:5a:bc:ca:1f:97:74:4f:65:32:0b:6d:4e:bf:
                 3d:5b:8c:a9:6a:60:04:03:6b:a3:86:8b:36:7a:35:77:36:b7:
                 71:3a:da:b2:c5:cf:db:13:38:10:81:f6:a8:e9:8b:17:77:f8:
                 be:5e



Leave your comment below

No comments:

Post a Comment