Create the CSR
Before enrolling a certificate via EST, you need to create a certificate signing request (CSR). You will send the CSR in your EST enrollment request.
The CSR supplies the values for the various certificate fields configured in the EST-enabled profile in DigiCert® Trust Lifecycle Manager.
The examples here show how to complete this process using the open source OpenSSL cryptographic tools, available for all major computer operating systems.
OpenSSL configuration file
To facilitate CSR generation, create an OpenSSL configuration file that contains values for the certificate fields from your certificate profile in Trust Lifecycle Manager.
For example, the following OpenSSL configuration file could be used to create a CSR for a certificate with a variety of Subject DN and SAN values, defined in the req_distinguished_name
and req_ext
sections, respectively.
SAN_FIELDS = IP:10.0.0.10, URI:http://www.digicert.com/, RID:1.2.3.4, DNS:first.digicert.com , DNS:second.digicert.com , email:noreply@digicert.com , email:noreply@mailinator.com [ req ] prompt = no distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] CN = device-seat-01 1.OU = Test OU 1 2.OU = Test OU 2 O = Test Org L = Test Locality ST = Test State C = US postalCode = 02860 serialNumber = sn0001 unstructuredName = Test Unstructured Name unstructuredAddress = Test Unstructured Address description = Test Description [ req_ext ] subjectAltName = $SAN_FIELDS
Generate private key
You need to generate the private key for your certificate before creating the CSR.
RSA
For example, make the following command to use RSA with a 2048-bit private key, saving it to a file called device.pem.key:
openssl genrsa -out device.pem.key 2048
ECDSA
To use ECDSA, first make the following command to list the possible curve names:
openssl ecparam -list_curves
Pick a curve from the list and make the following command to generate the private key and save it to a file called device.pem.key, replacing secp521r1
with the name of the curve to use:
openssl ecparam -name secp521r1 -genkey -noout -out device.pem.key
Create the CSR
Create the CSR based on your OpenSSL configuration file and private key.
For example, to create and save a CSR in a file called device.pem.csr, make the following command:
openssl req -new -nodes -sha256 -key device.pem.key -out device.pem.csr -config openssl.cfg
In this example:
The private key is not encrypted with a passphrase (
nodes
or "no DES").The CSR is signed with the SHA-256 hashing algorithm (
sha256
).The private key is stored in the
device.pem.key
file.The CSR is created with the values from the OpenSSL configuration file called
openssl.cfg
.
What's next
Now that you have a CSR, you can use it to request a certificate via EST. To learn more, see Enroll using cURL and Enroll using Postman.