Certificate Signing Request

A Certificate Signing Request ( CSR ; German Certificate Signing Request ) or Certification Request is a digital application by means of a digital signature of a public key , a digital certificate to create.

procedure

A Certificate Signing Request is used to ensure that the private key of the buyer of a public certificate remains secret from the Certificate Authority (CA).

In the first step, the customer generates a key pair (a private key and a public) on his own private hardware.
The customer creates a CSR file, which is an electronic form. In addition to the application data, it also contains his public key.
In the third step, the customer sends the CSR to the CA.
The CA checks the application (i.e. the CSR file with the form details and the public certificate it contains). If the check is positive, the CA sends back a new public certificate to the buyer (as a double-signed public key).

Form data

A relevant industry standard for X.509 is PKCS # 10. The request is generated with the private key of the applicant and consists of a public key, a differentiated name and optional attributes. Name and attributes are requested in the following dialog, for example:

Country Name (2 letter code) [AU]: DE
State or Province Name (full name) [Some-State]: Bayern
Locality Name (eg, city) []: Ingolstadt
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Beispiel e.V.
Organizational Unit Name (eg, section) []: 
Common Name (eg, YOUR name) []: www.example.net
Email Address []: webmaster@example.net

This example from OpenSSL calls the indispensable name Common Name . The applicant's request can be reconstructed from a certificate and the associated private key. The application can be created in printable PEM format or as a binary file in DER format . The request is sent to a certification authority ( English certification authority sent).

Norms and standards

RFC 2314 - PKCS # 10: Certification Request Syntax Version 1.5 [Obsolete]
RFC 2986 - Certification Request Syntax Specification Version 1.7
RFC 5967 - The application / pkcs10 Media Type [additions]

literature

Reiko Kaps: Another coffin nail. How CAs further undermine trust in SSL technology. In: c't . No. 14 , 2014, p. 46 f . ( heise.de [accessed on August 11, 2019] Description of the problem and solution via CSR).

Web links

privacy- Handbuch.de / ... - Concise 1-page representation including brief instructions (accessed on December 2, 2018).

Individual evidence

↑ Reiko Kaps: Another coffin nail. How CAs further undermine trust in SSL technology. In: c't . No. 14 , 2014, p. 46 f . ( heise.de [accessed November 25, 2018]).
↑ ^a ^b PKCS # 10: Certification Request Syntax Specification - Version 1.7 . Internet Engineering Task Force . November 2000.
↑ How to turn a X509 Certificate in to a Certificate Signing Request . University of Wisconsin, Madison . August 13, 2010.

[heise-2014-1] Reiko Kaps: Another coffin nail. How CAs further undermine trust in SSL technology. In: c't . No. 14 , 2014, p. 46 f . ( heise.de [accessed November 25, 2018]).

[RFC_2986-2] PKCS # 10: Certification Request Syntax Specification - Version 1.7 . Internet Engineering Task Force . November 2000.

[3] How to turn a X509 Certificate in to a Certificate Signing Request . University of Wisconsin, Madison . August 13, 2010.