Skip to main content

Create the CSR for SCEP enrollment

Before enrolling a certificate via SCEP, you need to create a certificate signing request (CSR). You will send the CSR in your SCEP enrollment request.

The CSR supplies the values for the various certificate fields configured in the SCEP-enabled profile in DigiCert​​®​​ Trust Lifecycle Manager.

The examples here show how to complete this process using the open source OpenSSL cryptographic tools, available for all major computer operating systems.

OpenSSL configuration file

To facilitate CSR generation, create an OpenSSL configuration file that contains:

  • Values for the certificate fields from your certificate profile in Trust Lifecycle Manager.

  • The enrollment code for the seat ID you are enrolling for a cert via SCEP, defined as challengePassword.

The following example shows all supported SCEP fields in Subject DN and SAN extension, and a test enrollment code (challengePassword):

SAN_FIELDS = IP:10.0.0.10, URI:http://www.digicert.com/, RID:1.2.3.4, DNS:first.digicert.com, DNS:second.digicert.com, email:noreply@digicert.com, email:noreply@mailinator.com

[ req ]
    prompt = no
    distinguished_name = req_distinguished_name
    req_extensions = req_ext
    attributes = req_attributes

[ req_distinguished_name ]
    CN = device-seat-01
    1.OU = Test OU 1
    2.OU = Test OU 2
    O = Test Org
    L = Test Locality
    ST = Test State
    C = US
    postalCode = 02860
    serialNumber = sn0001
    unstructuredName = Test Unstructured Name
    unstructuredAddress = Test Unstructured Address
    description = Test Description

[ req_ext ]
    subjectAltName = $SAN_FIELDS

[ req_attributes ]
    challengePassword = RLW60QNN7WJ7

Generate private key

You need to generate the private key for your certificate before creating the CSR.

RSA

For example, make the following command to use RSA with a 2048-bit private key, saving it to a file called device.pem.key:

openssl genrsa -out device.pem.key 2048

Create the CSR

Create the CSR based on your OpenSSL configuration file and private key.

For example, to create and save a CSR in a file called device.pem.csr, make the following command:

openssl req -new -sha256 -key device.pem.key -out device.pem.csr -config openssl.cfg

In this example:

  • The CSR is signed with the SHA-256 hashing algorithm (sha256).

  • The private key is stored in the device.pem.key file.

  • The CSR is created with the values from the OpenSSL configuration file called openssl.cfg.

Convert CSR from PEM to DER

The SCEP server for Trust Lifecycle Manager expects CSRs to be in DER format.

To convert a PEM-encoded CSR file called device.pem.csr to DER format, outputting it to file device.der.csr, make the following command:

openssl req -in device.pem.csr -out device.der.csr -outform DER

What's next

Now that you have a CSR in DER format, you can use it to request a certificate via SCEP. For example, see Test using the DigiCert SCEP client.

In diesem Abschnitt: