Skip to main content

Create the CSR

Before enrolling a certificate via EST, you need to create a certificate signing request (CSR). You will send the CSR in your EST enrollment request.

The CSR supplies the values for the various certificate fields configured in the EST-enabled profile in DigiCert​​®​​ Trust Lifecycle Manager.

The examples here show how to complete this process using the open source OpenSSL cryptographic tools, available for all major computer operating systems.

OpenSSL configuration file

To facilitate CSR generation, create an OpenSSL configuration file that contains values for the certificate fields from your certificate profile in Trust Lifecycle Manager.

For example, the following OpenSSL configuration file could be used to create a CSR for a certificate with a variety of Subject DN and SAN values, defined in the req_distinguished_name and req_ext sections, respectively.

SAN_FIELDS = IP:10.0.0.10, URI:http://www.digicert.com/, RID:1.2.3.4, DNS:first.digicert.com , DNS:second.digicert.com , email:noreply@digicert.com , email:noreply@mailinator.com
[ req ]
  prompt                 = no
  distinguished_name     = req_distinguished_name
  req_extensions         = req_ext
[ req_distinguished_name ]
  CN                     = device-seat-01
  1.OU                   = Test OU 1
  2.OU                   = Test OU 2
  O                      = Test Org
  L                      = Test Locality
  ST                     = Test State
  C                      = US
  postalCode             = 02860
  serialNumber           = sn0001
  unstructuredName       = Test Unstructured Name
  unstructuredAddress    = Test Unstructured Address
  description            = Test Description
[ req_ext ]
  subjectAltName = $SAN_FIELDS

Generate private key

You need to generate the private key for your certificate before creating the CSR.

RSA

For example, make the following command to use RSA with a 2048-bit private key, saving it to a file called device.pem.key:

openssl genrsa -out device.pem.key 2048

ECDSA

To use ECDSA, first make the following command to list the possible curve names:

openssl ecparam -list_curves

Pick a curve from the list and make the following command to generate the private key and save it to a file called device.pem.key, replacing secp521r1 with the name of the curve to use:

 openssl ecparam -name secp521r1 -genkey -noout -out device.pem.key

Create the CSR

Create the CSR based on your OpenSSL configuration file and private key.

For example, to create and save a CSR in a file called device.pem.csr, make the following command:

openssl req -new -nodes -sha256 -key device.pem.key -out device.pem.csr -config openssl.cfg

In this example:

  • The private key is not encrypted with a passphrase (nodes or "no DES").

  • The CSR is signed with the SHA-256 hashing algorithm (sha256).

  • The private key is stored in the device.pem.key file.

  • The CSR is created with the values from the OpenSSL configuration file called openssl.cfg.

What's next

Now that you have a CSR, you can use it to request a certificate via EST. To learn more, see Enroll using cURL and Enroll using Postman.