OpenSSL CSR File Structure and Components


What is the OpenSSL CSR file structure and components?



By default, CSR (Certificate Signing Request) files generated by the OpenSSL "req" command follow these rules:

1. CSR files are stored in PEM (Privacy-enhanced mail) format, which uses DER (Distinguished Encoding Rules) standard to serialize data elements into a binary string, then uses Base64 to encode the binary string into a printable character string.

2. CSR data elements follow the "RFC5967 - PKCS #10: Certification Request Syntax Specification, Version 1.7" specification.

The RFC5867, or PKCS#10, specifies that a CSR should have 3 parts:

1. "certificationRequestInfo" - Provides information of the certification request, which contains:

  • "version" - Provides the version number, which is 0 for all versions of the PKCS #10 specification.
  • "subject" - Provides the distinguished name of the certificate subject, the entity whose public key is to be certified.
  • "subjectPKInfo" - Provides the algorithm identifier of the public key and the public key itself.
  • "attributes" - Provides a collection of additional pieces of information about the subject.

2. "signatureAlgorithm" - Provides what algorithm was used to generate the digital signature of the "certificationRequestInfo".

3. "signature" - Provides the digital signature of the "certificationRequestInfo", signed by the private key of the subject. The signature can be verified by the public key included in the "certificationRequestInfo".


OpenSSL "req -text" Output and CSR Components

OpenSSL "req -text" - Print CSR in Text

OpenSSL "req" Command

⇑⇑ OpenSSL Tutorials

2018-01-19, 4655🔥, 1💬