Create a Certificate Signing Request (CSR)

A signed Certificate Signing Request (CSR) includes information about your organization and public key and is signed with the corresponding private key to ensure its authenticity. The following steps will guide you through generating a CSR using a CSR configuration file and signing it with either an RSA or ECC private key.

Before you begin

Make sure you understand the following:

TrustEdge must be installed on a supported device.
The user running TrustEdge CLI commands must be a member of the trustedge group.
- Use groups "$(whoami)" to see group membership.
- Use sudo adduser "$(whoami)" trustedge to add your user to the trustedge group.
You have an understanding of TrustEdge keystore directory and permissions.
You created a software key or hardware key for use as a signing key for the Certificate Signing Request (CSR).

Step 1: Prepare the CSR configuration file

Create a sample_csr.cnf Certificate Signing Request (CSR) configuration file in the /etc/digicert/keystoreconf directory.
```
touch /etc/digicert/keystore/conf/sample_csr.cnf
```

Add the following sample CSR content to the sample_csr.cnf file.

##Subject
countryName=US
commonName=iot-device101
stateOrProvinceName=California
localityName=San Francisco
organizationName=DBA
organizationalUnitName=BU
##Requested Extensions
hasBasicConstraints=true
isCA=true
certPathLen=-1
keyUsage=keyEncipherment, digitalSignature, keyCertSign
subjectAltNames=2; *.mydomain.com, 2; *.mydomain.net, 2

Check the contents of the CSR configuration file to ensure it contains the correct information.
```
cat /etc/digicert/keystore/sample_csr.cnf
```

Step 2: Generate the CSR

Once the CSR configuration file is ready, you can generate the CSR by specifying the configuration file and signing it with a private key.

Important

Make sure your keystore folder contains the private key (RSA_2048.pem or ECC_P256.pem) being used to sign the CSR. See Generate a software-based private key.

For an RSA private key:

trustedge certificate --cert-sign-req --output-file CSR_RSA_2048.pem --signing-key RSA_2048.pem --csr-conf sample_csr.cnf --digest SHA256

For an ECC private key:

trustedge certificate --cert-sign-req --output-file CSR_ECC_P256.pem --signing-key ECC_P256.pem --csr-conf sample_csr.cnf --digest SHA256

Step 3 (optional): Include a signing certificate

If you need to include a signing certificate with your CSR, you can include the --signing-cert option. Make sure the specified signing certificate filename is located in the /etc/digicert/keystore/cert directory.

For RSA keys with a signing certificate:

trustedge certificate --cert-sign-req --output-file CSR_RSA_2048.pem --signing-key RSA_2048.pem --signing-cert RSA_CERT_2048.pem --digest SHA256

For ECC keys with a signing certificate:

trustedge certificate --cert-sign-req --output-file CSR_ECC_P256.pem --signing-key ECC_P256.pem --signing-cert ECC_CERT_P256.pem --digest SHA256

Step 4: Verify the CSR

After generating the CSR, you can verify that the file was created by listing the contents of the directory:

trustedge certificate --print-cert /etc/digicert/keystore/req/CSR_ECC_P256.pem

This command will display the certificate request in a readable format.

What's next?

Submit your CSR to a certificate authority (CA) using EST or SCEP enrollment.

In this section: