372:
18:d=5 hl=2 l= 3 prim: OBJECT :countryName 23:d=5 hl=2 l= 2 prim: PRINTABLESTRING :EN 27:d=3 hl=2 l= 13 cons: SET 29:d=4 hl=2 l= 11 cons: SEQUENCE 31:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName 36:d=5 hl=2 l= 4 prim: UTF8STRING :none 42:d=3 hl=2 l= 13 cons: SET 44:d=4 hl=2 l= 11 cons: SEQUENCE 46:d=5 hl=2 l= 3 prim: OBJECT :localityName 51:d=5 hl=2 l= 4 prim: UTF8STRING :none 57:d=3 hl=2 l= 18 cons: SET 59:d=4 hl=2 l= 16 cons: SEQUENCE 61:d=5 hl=2 l= 3 prim: OBJECT :organizationName 66:d=5 hl=2 l= 9 prim: UTF8STRING :Knowledge (XXG) 77:d=3 hl=2 l= 13 cons: SET 79:d=4 hl=2 l= 11 cons: SEQUENCE 81:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName 86:d=5 hl=2 l= 4 prim: UTF8STRING :none 92:d=3 hl=2 l= 24 cons: SET 94:d=4 hl=2 l= 22 cons: SEQUENCE 96:d=5 hl=2 l= 3 prim: OBJECT :commonName 101:d=5 hl=2 l= 15 prim: UTF8STRING :*.wikipedia.org 118:d=3 hl=2 l= 28 cons: SET 120:d=4 hl=2 l= 26 cons: SEQUENCE 122:d=5 hl=2 l= 9 prim: OBJECT :emailAddress 133:d=5 hl=2 l= 13 prim: IA5STRING :
272:, consists of a version number (which is 0 for all known versions, 1.0, 1.5, and 1.7 of the specifications), the subject name, the public key (algorithm identifier + bit string), and a collection of attributes providing additional information about the subject of the certificate. The attributes can contain required certificate extensions, a challenge-password to restrict revocations, as well as any additional information about the subject of the certificate, possibly including local or future types.
989:
100:, which provides proof-of-possession of the private key but limits the use of this format to keys that can be used for (some form of) signing. The CSR should be accompanied by a proof of origin (i.e., proof of identity of the applicant) that is required by the certificate authority, and the certificate authority may contact the applicant for further information.
371:
0:d=0 hl=4 l= 716 cons: SEQUENCE 4:d=1 hl=4 l= 436 cons: SEQUENCE 8:d=2 hl=2 l= 1 prim: INTEGER :00 11:d=2 hl=3 l= 134 cons: SEQUENCE 14:d=3 hl=2 l= 11 cons: SET 16:d=4 hl=2 l= 9 cons: SEQUENCE
375:
148:d=2 hl=4 l= 290 cons: SEQUENCE 152:d=3 hl=2 l= 13 cons: SEQUENCE 154:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption 165:d=4 hl=2 l= 0 prim: NULL 167:d=3 hl=4 l= 271 prim: BIT STRING 442:d=2 hl=2 l= 0 cons:
261:
A certification request in PKCS #10 format consists of three main parts: the certification request information, a signature algorithm identifier, and a digital signature on the certification request information. The first part contains the significant information, including the public key. The
250:# https://www.openssl.org/docs/manmaster/man1/openssl-req.html # "openssl req" creates a signing request: $ openssl req -sha512 -new -subj "/C=US/ST=California/L=San Francisco/O=Wikimedia Foundation, Inc./CN=*.wikipedia.org" -key 2024_wikipedia.org.key -out 2024_wikipedia.org.csr
43:. The CSR usually contains the public key for which the certificate should be issued, identifying information (such as a domain name) and a proof of authenticity including integrity protection (e.g., a digital signature). The most common format for CSRs is the
376:
cont 444:d=1 hl=2 l= 13 cons: SEQUENCE 446:d=2 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption 457:d=2 hl=2 l= 0 prim: NULL 459:d=1 hl=4 l= 257 prim: BIT STRING
367:
The above certificate signing request's ASN.1 structure (as parsed by openssl) appears as the following, where the first number is the byte offset, d=depth, hl=header length of the current type, l=length of content:
262:
signature by the requester prevents an entity from requesting a bogus certificate of someone else's public key. Thus the private key is needed to produce a PKCS #10 CSR, but it is not part of, the CSR.
969:
799:
253:
If the request is successful, the certificate authority will send back an identity certificate that has been digitally signed using the private key of the certificate authority.
652:
85:# https://www.openssl.org/docs/manmaster/man1/openssl-genrsa.html # "openssl genrsa" creates an RSA private key: $ openssl genrsa -out 2024_wikipedia.org.key
265:
CSR for personal ID certificates and signing certificates must have the email address of the ID holder or name of organisation in case of business ID.
96:
chosen by the applicant, and possibly further information. When using the PKCS #10 format, the request must be self-signed using the applicant's
521:
645:
1017:
848:
426:
638:
392:
289:
51:
964:
919:
732:
136:
843:
959:
514:
20:
949:
939:
794:
944:
934:
737:
697:
690:
680:
675:
475:
203:
Province, region, county or state. This should not be abbreviated (e.g. West Sussex, Normandy, New Jersey).
97:
93:
79:
155:
Usually the legal name of a company or entity and should include any suffixes such as Ltd., Inc., or Corp.
107:). Note that there are often alternatives for the Distinguished Names (DN), the preferred value is listed.
685:
40:
992:
838:
784:
388:
36:
954:
878:
507:
717:
823:
807:
754:
220:
89:
883:
873:
744:
818:
457:
281:
893:
813:
774:
722:
707:
1011:
974:
929:
888:
868:
764:
727:
702:
413:"Internet X.509 Public Key Infrastructure Certificate Request Message Format (CRMF)"
239:
The organization contact, usually of the certificate administrator or IT department
924:
769:
759:
749:
712:
661:
903:
461:
373:
59:
863:
833:
828:
789:
853:
898:
858:
412:
75:
247:
This sample command line uses the details as listed in the table above:
611:
606:
601:
596:
591:
586:
293:
292:. Here is an example of how you can examine its ASN.1 structure using
779:
581:
576:
571:
566:
561:
556:
551:
546:
541:
479:
379:
This was generated by supplying the base64 encoding into the command
306:
16:
Message sent to a certificate authority to apply for a certificate.
464:- PKCS #10: Certification Request Syntax Specification Version 1.7
285:
104:
88:
The CSR contains information identifying the applicant (such as a
71:
55:
530:
359:
rfJxaLHwTQ/1988G0H35ED0f9Md5fzoKi5evU1wG5WRxdEUPyt3QUXxdQ69i0C+7
356:
3wHFK+S7BRWrJQXcM8veAexXuk9lHQ+FgGfD0eSYGz0kyP26Qa2pLTwumjt+nBPl
353:/YcG4ouLJr140o26MhwBpoCRpPjAgdYMH60BYfnc4/DILxMVqR9xqK1s98d6Ob/+
350:
sllMFDaYoGD4Rru4s8gz2qG/QHWA8uPXzJVAj6X0olbIdLTEqTKsnBj4Zr1AJCNy
347:
SspR9xOCoOwYfamB+2Bpmt82R01zJ/kaqzUtZUjaGvQvAaz5lUwoMdaO0X7I5Xfl
344:
57HhA7ECAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4IBAQBn8OCVOIx+n0AS6WbEmYDR
341:
7Ff8tQhEwR9nJUR1T6Z7ln7S6cOr23YozgWVkEJ/dSr6LAopb+cZ88FzW5NszU6i
338:
9/8zPVqqmhl2XFS3Qdqlsprzbgksom67OobJGjaV+fNHNQ0o/rzP//Pl3i7vvaEG
335:/ArIuM+FBeuno/IV8zvwAe/VRa8i0QjFXT9vBBp35aeatdnJ2ds50yKCsHHcjvtr
332:
kieG83HsSmZZtR+drZIQ6vOsr/ucvpnB9z4XzKuabNGZ5ZiTSQ9L7Mx8FzvUTq5y
329:
PT8LLUR9ygyygPCaSmIEC8zXGJung3ykElXFRz/Jc/bu0hxCxi2YDz5IjxBBOpB/
326:
LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMP/U8RlcCD6E8AL
323:
BgNVBAMMDyoud2lraXBlZGlhLm9yZzEcMBoGCSqGSIb3DQEJARYNbm9uZUBub25l
320:
VQQHDARub25lMRIwEAYDVQQKDAlXaWtpcGVkaWExDTALBgNVBAsMBG5vbmUxGDAW
317:
MIICzDCCAbQCAQAwgYYxCzAJBgNVBAYTAkVOMQ0wCwYDVQQIDARub25lMQ0wCwYD
45:
634:
503:
39:
of the public key infrastructure (PKI) in order to apply for a
434:
58:(Signed Public Key and Challenge) format generated by some
103:
Typical information required in a CSR (sample column from
284:
defines a binary format for encoding CSRs for use with
800:
Cryptographically secure pseudorandom number generator
309:
encoded PKCS#10; an example of which is given below:
626:
495:
912:
668:
223:for the country where your organization is located
171:Internal organization department/division name
50:specification; others include the more capable
646:
515:
431:WebSphere MQ Security Concepts and mechanisms
74:certificate, the applicant first generates a
8:
35:) is a message sent from an applicant to a
653:
639:
631:
627:
522:
508:
500:
496:
453:
451:
109:
404:
474:Nikos Mavrogiannopoulos (2020-01-09).
7:
314:-----BEGIN CERTIFICATE REQUEST-----
52:Certificate Request Message Format
14:
362:-----END CERTIFICATE REQUEST-----
988:
987:
476:"PKCS #10 certificate requests"
391:) is the encoding of the ASN.1
187:Town, city, village, etc. name
849:Information-theoretic security
305:A CSR may be represented as a
1:
70:Before creating a CSR for an
393:Distinguished Encoding Rules
41:digital identity certificate
965:Message authentication code
920:Cryptographic hash function
733:Cryptographic hash function
268:The first part, ASN.1 type
257:Structure of a PKCS #10 CSR
158:Wikimedia Foundation, Inc.
137:fully qualified domain name
82:of that pair secret, e.g.:
25:certificate signing request
1034:
844:Harvest now, decrypt later
983:
960:Post-quantum cryptography
630:
537:
499:
299:openssl asn1parse -i -in
276:Example of a PKCS #10 CSR
21:public key infrastructure
950:Quantum key distribution
940:Authenticated encryption
795:Random number generation
311:
270:CertificationRequestInfo
139:that you wish to secure
105:sample X.509 certificate
945:Public-key cryptography
935:Symmetric-key algorithm
738:Key derivation function
698:Cryptographic primitive
691:Authentication protocol
681:Outline of cryptography
676:History of cryptography
1018:Cryptography standards
686:Cryptographic protocol
381:openssl asn1parse -in
839:End-to-end encryption
785:Cryptojacking malware
427:"Distinguished Names"
389:Privacy-Enhanced Mail
288:. It is expressed in
37:certificate authority
33:certification request
955:Quantum cryptography
879:Trusted timestamping
168:Organizational Unit
718:Cryptographic nonce
221:two-letter ISO code
824:Subliminal channel
808:Pseudorandom noise
755:Key (cryptography)
152:Organization Name
90:distinguished name
1005:
1004:
1001:
1000:
884:Key-based routing
874:Trapdoor function
745:Digital signature
624:
623:
620:
619:
245:
244:
23:(PKI) systems, a
1025:
991:
990:
819:Insecure channel
655:
648:
641:
632:
628:
524:
517:
510:
501:
497:
490:
489:
487:
486:
471:
465:
455:
446:
445:
443:
442:
423:
417:
416:
409:
386:
383:your_request.p10
363:
360:
357:
354:
351:
348:
345:
342:
339:
336:
333:
330:
327:
324:
321:
318:
315:
301:your_request.p10
233:
213:
197:
181:
165:
149:
142:*.wikipedia.org
129:
110:
1033:
1032:
1028:
1027:
1026:
1024:
1023:
1022:
1008:
1007:
1006:
997:
979:
908:
664:
659:
625:
616:
533:
528:
494:
493:
484:
482:
473:
472:
468:
456:
449:
440:
438:
425:
424:
420:
411:
410:
406:
401:
380:
377:
365:
364:
361:
358:
355:
352:
349:
346:
343:
340:
337:
334:
331:
328:
325:
322:
319:
316:
313:
303:
278:
259:
251:
231:
211:
195:
179:
163:
147:
127:
86:
68:
54:(CRMF) and the
17:
12:
11:
5:
1031:
1029:
1021:
1020:
1010:
1009:
1003:
1002:
999:
998:
996:
995:
984:
981:
980:
978:
977:
972:
970:Random numbers
967:
962:
957:
952:
947:
942:
937:
932:
927:
922:
916:
914:
910:
909:
907:
906:
901:
896:
894:Garlic routing
891:
886:
881:
876:
871:
866:
861:
856:
851:
846:
841:
836:
831:
826:
821:
816:
814:Secure channel
811:
805:
804:
803:
792:
787:
782:
777:
775:Key stretching
772:
767:
762:
757:
752:
747:
742:
741:
740:
735:
725:
723:Cryptovirology
720:
715:
710:
708:Cryptocurrency
705:
700:
695:
694:
693:
683:
678:
672:
670:
666:
665:
660:
658:
657:
650:
643:
635:
622:
621:
618:
617:
615:
614:
609:
604:
599:
594:
589:
584:
579:
574:
569:
564:
559:
554:
549:
544:
538:
535:
534:
529:
527:
526:
519:
512:
504:
492:
491:
466:
447:
418:
403:
402:
400:
397:
385:-inform PEM -i
370:
312:
298:
277:
274:
258:
255:
249:
243:
242:
240:
237:
236:Email Address
234:
228:
227:
224:
217:
214:
208:
207:
204:
201:
198:
192:
191:
190:San Francisco
188:
185:
182:
176:
175:
172:
169:
166:
160:
159:
156:
153:
150:
144:
143:
140:
133:
130:
124:
123:
120:
117:
114:
84:
78:, keeping the
67:
64:
15:
13:
10:
9:
6:
4:
3:
2:
1030:
1019:
1016:
1015:
1013:
994:
986:
985:
982:
976:
975:Steganography
973:
971:
968:
966:
963:
961:
958:
956:
953:
951:
948:
946:
943:
941:
938:
936:
933:
931:
930:Stream cipher
928:
926:
923:
921:
918:
917:
915:
911:
905:
902:
900:
897:
895:
892:
890:
889:Onion routing
887:
885:
882:
880:
877:
875:
872:
870:
869:Shared secret
867:
865:
862:
860:
857:
855:
852:
850:
847:
845:
842:
840:
837:
835:
832:
830:
827:
825:
822:
820:
817:
815:
812:
809:
806:
801:
798:
797:
796:
793:
791:
788:
786:
783:
781:
778:
776:
773:
771:
768:
766:
765:Key generator
763:
761:
758:
756:
753:
751:
748:
746:
743:
739:
736:
734:
731:
730:
729:
728:Hash function
726:
724:
721:
719:
716:
714:
711:
709:
706:
704:
703:Cryptanalysis
701:
699:
696:
692:
689:
688:
687:
684:
682:
679:
677:
674:
673:
671:
667:
663:
656:
651:
649:
644:
642:
637:
636:
633:
629:
613:
610:
608:
605:
603:
600:
598:
595:
593:
590:
588:
585:
583:
580:
578:
575:
573:
570:
568:
565:
563:
560:
558:
555:
553:
550:
548:
545:
543:
540:
539:
536:
532:
525:
520:
518:
513:
511:
506:
505:
502:
498:
481:
477:
470:
467:
463:
459:
454:
452:
448:
436:
432:
428:
422:
419:
414:
408:
405:
398:
396:
394:
390:
384:
374:
369:
310:
308:
302:
297:
295:
291:
287:
283:
275:
273:
271:
266:
263:
256:
254:
248:
241:
238:
235:
230:
229:
225:
222:
218:
215:
210:
209:
205:
202:
199:
194:
193:
189:
186:
183:
178:
177:
173:
170:
167:
162:
161:
157:
154:
151:
146:
145:
141:
138:
134:
131:
126:
125:
121:
118:
115:
112:
111:
108:
106:
101:
99:
95:
91:
83:
81:
77:
73:
65:
63:
61:
57:
53:
49:
47:
42:
38:
34:
30:
26:
22:
925:Block cipher
770:Key schedule
760:Key exchange
750:Kleptography
713:Cryptosystem
662:Cryptography
483:. Retrieved
469:
439:. Retrieved
437:. 2019-11-05
430:
421:
407:
382:
378:
366:
304:
300:
280:The PKCS#10
279:
269:
267:
264:
260:
252:
246:
132:Common Name
119:Description
116:Information
102:
87:
69:
60:web browsers
44:
32:
28:
24:
18:
913:Mathematics
904:Mix network
395:in base64.
387:where PEM (
206:California
98:private key
80:private key
864:Ciphertext
834:Decryption
829:Encryption
790:Ransomware
485:2020-01-16
441:2020-01-16
399:References
94:public key
854:Plaintext
184:Locality
66:Procedure
1012:Category
993:Category
899:Kademlia
859:Codetext
802:(CSPRNG)
612:PKCS #15
607:PKCS #14
602:PKCS #13
597:PKCS #12
592:PKCS #11
587:PKCS #10
282:standard
216:Country
135:This is
76:key pair
669:General
582:PKCS #9
577:PKCS #8
572:PKCS #7
567:PKCS #6
562:PKCS #5
557:PKCS #4
552:PKCS #3
547:PKCS #2
542:PKCS #1
294:OpenSSL
122:Sample
92:), the
780:Keygen
480:GnuTLS
460:
307:Base64
200:State
810:(PRN)
290:ASN.1
286:X.509
232:EMAIL
72:X.509
56:SPKAC
531:PKCS
462:2986
219:The
46:PKCS
458:RFC
435:IBM
226:US
174:IT
113:DN
48:#10
31:or
29:CSR
19:In
1014::
478:.
450:^
433:.
429:.
296::
196:ST
164:OU
128:CN
62:.
654:e
647:t
640:v
523:e
516:t
509:v
488:.
444:.
415:.
212:C
180:L
148:O
27:(
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.