Skip to main content

Create a Certificate Signing Request (CSR)

A signed Certificate Signing Request (CSR) includes information about your organization and public key and is signed with the corresponding private key to ensure its authenticity. The following steps will guide you through generating a CSR using a CSR configuration file and signing it with either an RSA or ECC private key.

Before you begin

Make sure you understand the following:

Step 1: Prepare the CSR configuration file

  1. Create a sample_csr.cnf Certificate Signing Request (CSR) configuration file in the /etc/digicert/keystoreconf directory.

    touch /etc/digicert/keystore/conf/sample_csr.cnf
  2. Add the following sample CSR content to the sample_csr.cnf file.

    ##Subject
    countryName=US
    commonName=iot-device101
    stateOrProvinceName=California
    localityName=San Francisco
    organizationName=DBA
    organizationalUnitName=BU
    ##Requested Extensions
    hasBasicConstraints=true
    isCA=true
    certPathLen=-1
    keyUsage=keyEncipherment, digitalSignature, keyCertSign
    subjectAltNames=2; *.mydomain.com, 2; *.mydomain.net, 2
    
  3. Check the contents of the CSR configuration file to ensure it contains the correct information.

    cat /etc/digicert/keystore/sample_csr.cnf
    

Step 2: Generate the CSR

Once the CSR configuration file is ready, you can generate the CSR by specifying the configuration file and signing it with a private key.

Important

Make sure your keystore folder contains the private key (RSA_2048.pem or ECC_P256.pem) being used to sign the CSR. See Generate a software-based private key.

  1. For an RSA private key:

    trustedge certificate --cert-sign-req --output-file CSR_RSA_2048.pem --signing-key RSA_2048.pem --csr-conf sample_csr.cnf --digest SHA256
    
  2. For an ECC private key:

    trustedge certificate --cert-sign-req --output-file CSR_ECC_P256.pem --signing-key ECC_P256.pem --csr-conf sample_csr.cnf --digest SHA256
    

Step 3 (optional): Include a signing certificate

If you need to include a signing certificate with your CSR, you can include the --signing-cert option. Make sure the specified signing certificate filename is located in the /etc/digicert/keystore/cert directory.

  1. For RSA keys with a signing certificate:

    trustedge certificate --cert-sign-req --output-file CSR_RSA_2048.pem --signing-key RSA_2048.pem --signing-cert RSA_CERT_2048.pem --digest SHA256
    
  2. For ECC keys with a signing certificate:

    trustedge certificate --cert-sign-req --output-file CSR_ECC_P256.pem --signing-key ECC_P256.pem --signing-cert ECC_CERT_P256.pem --digest SHA256
    

Step 4: Verify the CSR

After generating the CSR, you can verify that the file was created by listing the contents of the directory:

trustedge certificate --print-cert /etc/digicert/keystore/req/CSR_ECC_P256.pem

This command will display the certificate request in a readable format.

What's next?

Submit your CSR to a certificate authority (CA) using EST or SCEP enrollment.