Ĩesky | english


What is a "CSR" and how do I get one?

CSR is a Certificate Signing Request. It is a file with a special contents.

Basic overview

You have to create a CSR file on your computer (a PC or a server). You can use, for example, these means:

Programs generate both a private and a public PKI key. The private key stays (apart from exceptions, as backups) saved on your computer. The public key with more information is saved to the CSR, which represents the base for your new certificate. The CSR file is, according to the certificate purpose intended, assembled according to the pattern you have selected (e.g. a personal certificate or a web server certificate). The CSR file contains your generated public key, and a part of information about your planned certificate and about your public key.

The CSR file (certificate signing request) then can be submitted to a CA or Certification Authority (here: CAcert Inc.), which will sign it, thus will create your new certificate, which will contain your public key and can contain a part of CSR information, too. CAcert first modify your CSR, see the Certification Practice Statement (CPS). Detailed tutorials see TutorialsHowto.

CA does not know the private key you have generated. Keep your private key secret.

CA (CAcert's CA) uses the CSR file to grab your information, check it against your web account at CAcert, and then to generate the real certificate you (and your services) will use at secured communication with your clients (HTTPS, SSL, POP3/SSL, etc.) and with servers.

Then you can download the certificate issued and save it as a file with one of CER, CRT, PEM or DER formats. First three formats are usually Base64 coded, DER is the binary format.

If you have used the Firefox browser to generate a CSR and save the certificate issued, then you have to realize, that Firefox has its own certificate repository; more steps are needed to save the certificate with the corresponding private key into the system certificate repository. This is discussed on the page Browser Clients.

(based on Bruno ideas on CAcert support mailing list)

Example of CSR

tools to generate CSRs

Analyse your CSR data block

see Analyse CSR

More info

see here and there

Official OpenSSL stuff

You can get some more info reading the official OpenSSL documentation.

http://www.openssl.org/docs/