Skip to main content

Create a Signed Certificate Signing Request (CSR)

A signed Certificate Signing Request (CSR) includes information about your organization and public key and is signed with the corresponding private key to ensure its authenticity. The following steps will guide you through generating a CSR using a CSR configuration file and signing it with either an RSA or ECC private key.

Before you begin

Before performing certificate request operations using TrustEdge certificate tool , make sure you set up your Certificate Signing Request (CSR) configuration file.

  1. Create a sample_csr.cnf Certificate Signing Request (CSR) configuration file in the /etc/digicert/keystoreconf directory.

    touch /etc/digicert/keystore/conf/sample_csr.cnf
  2. Add the following sample CSR content to the sample_csr.cnf file.

    ##Subject
    countryName=US
    commonName=iot-device101
    stateOrProvinceName=California
    localityName=San Francisco
    organizationName=DBA
    organizationalUnitName=BU
    ##Requested Extensions
    hasBasicConstraints=true
    isCA=true
    certPathLen=-1
    keyUsage=keyEncipherment, digitalSignature, keyCertSign
    subjectAltNames=2; *.mydomain.com, 2; *.mydomain.net, 2
    

Step 1: Prepare the CSR configuration file

  1. If you haven’t already done so, create a CSR configuration file in the /etc/digicert/keystore directory.

  2. Check the contents of the CSR configuration file to ensure it contains the correct information.

    cat /etc/digicert/keystore/sample_csr.cnf
    

Step 2: Generate the CSR

Once the CSR configuration file is ready, you can generate the CSR by specifying the configuration file and signing it with a private key.

Important

Make sure your keystore folder contains the private key (RSA_2048.pem or ECC_P256.pem) being used to sign the CSR. See Generate a software-based private key.

  1. For an RSA private key:

    trustedge certificate --cert-sign-req --output-file CSR_RSA_2048.pem --signing-key RSA_2048.pem --csr-conf sample_csr.cnf --digest SHA256
    
  2. For an ECC private key:

    trustedge certificate --cert-sign-req --output-file CSR_ECC_P256.pem --signing-key ECC_P256.pem --csr-conf sample_csr.cnf --digest SHA256
    

Step 3 (optional): Include a signing certificate

If you need to include a signing certificate with your CSR, you can include the --signing-cert option. Make sure the specified signing certificate filename is located in the /etc/digicert/keystore/cert directory.

  1. For RSA keys with a signing certificate:

    trustedge certificate --cert-sign-req --output-file CSR_RSA_2048.pem --signing-key RSA_2048.pem --signing-cert RSA_CERT_2048.pem --digest SHA256
    
  2. For ECC keys with a signing certificate:

    trustedge certificate --cert-sign-req --output-file CSR_ECC_P256.pem --signing-key ECC_P256.pem --signing-cert ECC_CERT_P256.pem --digest SHA256
    

Step 4: Verify the CSR

After generating the CSR, you can verify that the file was created by listing the contents of the directory:

ls -l -R /etc/digicert/keystore

This command will display the all directories and files in the keystore directory, including the newly created CSR.