OpenSSL CSR File Structure and Components

Q

What is the OpenSSL CSR file structure and components?

✍: FYIcenter.com

A

By default, CSR (Certificate Signing Request) files generated by the OpenSSL "req" command follow these rules:

1. CSR files are stored in PEM (Privacy-enhanced mail) format, which uses DER (Distinguished Encoding Rules) standard to serialize data elements into a binary string, then uses Base64 to encode the binary string into a printable character string.

2. CSR data elements follow the "RFC5967 - PKCS #10: Certification Request Syntax Specification, Version 1.7" specification.

The RFC5867, or PKCS#10, specifies that a CSR should have 3 parts:

1. "certificationRequestInfo" - Provides information of the certification request, which contains:

  • "version" - Provides the version number, which is 0 for all versions of the PKCS #10 specification.
  • "subject" - Provides the distinguished name of the certificate subject, the entity whose public key is to be certified.
  • "subjectPKInfo" - Provides the algorithm identifier of the public key and the public key itself.
  • "attributes" - Provides a collection of additional pieces of information about the subject.

2. "signatureAlgorithm" - Provides what algorithm was used to generate the digital signature of the "certificationRequestInfo".

3. "signature" - Provides the digital signature of the "certificationRequestInfo", signed by the private key of the subject. The signature can be verified by the public key included in the "certificationRequestInfo".

 

OpenSSL "req -text" Output and CSR Components

OpenSSL "req -text" - Print CSR in Text

OpenSSL "req" Command

⇑⇑ OpenSSL Tutorials

2018-01-19, 1053👍, 1💬