Certificate Signing Request (CSR)

The Certificate Signing Request (CSR) is a cryptographic file used to request a digital certificate from a Certification Authority (CA). It was originally specified in PKCS #10 (as a part of the Public Key Cryptography Standards from RSA).

This standard was incorporated pretty much intact in the IETF RFC library as RFC 2986, “PKCS #10: Certificate Request Syntax Specification Version 1.7”, November 2000.

A CSR is a complex binary format, similar to an X.509 digital certificate. A Certification Authority (CA) can create an X.509 certificate from a CSR, plus some additional information they supply, like start date, end date, serial number, issuer distinguished name, etc.

There are various tools for creating a CSR and private key, such as the OpenSSL command line tool, and some websites. However, I use my SixWallet app to create a CSR quickly and easily. I can submit it securely via IRP to any compliant CA, or view the CSR in PEM format to paste into a typical CA website. SixWallet will create a randomly chosen public/private keypair (and keep the private key securely in its local database), then allow you to manage your distinguished name info and build the CSR.

This form allows you to enter your Subject Distinguished Name info and save it (and the private key) in the local database:

Once the CSR is created, you can view it in PEM format:

You would cut and paste that into the CA website. When the issued cert is returned, you can reassociate it with the private key in the local database and store the key material (cert and private key) in the MS Certificate Store:

You would click Get Cert from File and load the returned cert. This would save the new key material in the MS Certificate Store in your Personal folder:

Now your new key material is in your Windows Certificate Store. If you double click on it, you will see the new cert:

Continue to Digital Certificate