## page was renamed from CSR ## 20170118 AK ---- [[FAQ/CSR/CZ|Ĩesky]] | '''english''' ---- = What is a "CSR" and how do I get one? = '''CSR''' is a '''C'''ertificate '''S'''igning '''R'''equest. It is a file with a special contents. == Basic overview == You have to create a CSR file on your computer (a PC or a server). You can use, for example, the following means: * for a Windows OS: * a web browser, /!\ NOTE /!\ - [[TutorialsHowto/Generate-new-CSR|Use CAcert's new CSR generation tool]] * the Certificates module of the MMC administrative tool, * the OpenSSL for Windows program, * the XCA for Windows program. * for a Linux OS: * a web browser, /!\ NOTE /!\ - [[TutorialsHowto/Generate-new-CSR|Use CAcert's new CSR generation tool]] * the OpenSSL for Linux program, * the XCA for Linux program. /!\ '''NOTE on CSR generating in browsers since 20170101 - important!''' /!\ Most modern browsers can't successfully generate a CSR the old way, so instead use this new tool created by CAcert. * [[TutorialsHowto/Generate-new-CSR|Use CAcert's new CSR generation tool]] Programs generate both a private and a public PKI key. The private key stays saved on your computer (apart from exceptions, as backups). The public key with more information is saved to the CSR file, which represents the base for your new certificate. The CSR file is assembled, according to the certificate purpose intended, based on the pattern you have selected (e.g. a personal certificate or a web server certificate). The CSR file contains your generated public key with a part of information about the subject of your planned certificate and about your public key. The CSR file (certificate signing request) then can be submitted to a '''CA''' or '''Certification Authority''' (here: CAcert Inc.), which signs the CSR with its (CA's) private key. By doing this, the CA creates your new certificate, which contains your public key and can also contain a part of CSR information. CAcert first modifies your CSR, see the [[http://www.cacert.org/policy/CertificationPracticeStatement.php|Certification Practice Statement]] (CPS). Detailed tutorials see [[TutorialsHowto]]. CA does not need to know the private key you have generated. Keep your private key '''secret'''. CA (CAcert's CA) uses the CSR file to grab your information, check it against your web account at CAcert, and then to generate the '''real''' certificate you (''and your services'') will use at '''secured''' communication with your clients (HTTPS, SSL, POP3/SSL, etc.) and with servers. Then you can download the certificate issued and save it as a file with one of CER, CRT, PEM or DER formats. First three formats are usually Base64 coded, DER is the binary format. If you have used the Firefox browser to generate a CSR and save the certificate issued, then you have to realize, that Firefox has its own certificate repository; more steps are needed to save the certificate with the corresponding private key into the system certificate repository. This is discussed on the Wiki page [[FAQ/BrowserClients|Browser Clients]]. (based on Bruno ideas on CAcert support mailing list) Example of [[http://www.spacereg.com/webcert_csr.html|CSR ]] == tools to generate CSRs == * Win32 * [[http://mycert.sandbox.cz|My Certificate Wizard]] part of [[http://www.openvpn.se/|OpenVPN GUI for Windows]] wrapper for the [[http://www.slproweb.com/products/Win32OpenSSL.html|Win32 OpenSSL port]] * [[http://sourceforge.net/projects/xca|XCA]] - certificate management tool and CSR generating * [[https://www.digicert.com/easy-csr/exchange2010.htm|CSR generating]] for Exchange servers * Linux/Unix/*nix * [[CSRGenerator]] is a friendly shell script with CAcert focus * [[http://www.openssl.org/|OpenSSL]] [SimpleApacheCert] * If you're using IIS have a look at: [[HELP/3]] http://isaserver.org/tutorials/2004wildcardcert.html (to be verified) * if you're using openssl have a look at: [[HELP/4]] * OpenSSL users can also look at DigitCert's CSR wizard, which will generate the OpenSSL command-line you need to type in order to generate the CSR locally: https://www.digicert.com/easy-csr/openssl.htm == Analyse your CSR data block == see [[https://www.sslshopper.com/csr-decoder.html|SSL Shopper]] or [[https://cryptoreport.websecurity.symantec.com/checker/views/csrCheck.jsp|Symantec CryptoReport]] == More info == see [[SubmitCsr|here]] and [[WebServers|there]] == Official OpenSSL stuff == You can get some more info reading the official OpenSSL documentation. http://www.openssl.org/docs/ ---- . CategoryCommunity . CategoryConfiguration . CategoryGuide . CategorySoftware . CategorySupport