Create a Certificate Signing Request (CSR)
A signed Certificate Signing Request (CSR) includes information about your organization and public key and is signed with the corresponding private key to ensure its authenticity. The following steps will guide you through generating a CSR using a CSR configuration file and signing it with either an RSA or ECC private key.
Before you begin
Make sure you understand the following:
You created a software key or hardware key for use as a signing key for the Certificate Signing Request (CSR).
Step 1: Prepare the CSR configuration file
Create a
sample_csr.cnf
Certificate Signing Request (CSR) configuration file in the/etc/digicert/keystoreconf
directory.touch /etc/digicert/keystore/conf/sample_csr.cnf
Add the following sample CSR content to the
sample_csr.cnf
file.##Subject countryName=US commonName=iot-device101 stateOrProvinceName=California localityName=San Francisco organizationName=DBA organizationalUnitName=BU ##Requested Extensions hasBasicConstraints=true isCA=true certPathLen=-1 keyUsage=keyEncipherment, digitalSignature, keyCertSign subjectAltNames=2; *.mydomain.com, 2; *.mydomain.net, 2
Check the contents of the CSR configuration file to ensure it contains the correct information.
cat /etc/digicert/keystore/sample_csr.cnf
Step 2: Generate the CSR
Once the CSR configuration file is ready, you can generate the CSR by specifying the configuration file and signing it with a private key.
Important
Make sure your keystore folder contains the private key (RSA_2048.pem
or ECC_P256.pem
) being used to sign the CSR. See Generate a software-based private key.
For an RSA private key:
trustedge certificate --cert-sign-req --output-file CSR_RSA_2048.pem --signing-key RSA_2048.pem --csr-conf sample_csr.cnf --digest SHA256
For an ECC private key:
trustedge certificate --cert-sign-req --output-file CSR_ECC_P256.pem --signing-key ECC_P256.pem --csr-conf sample_csr.cnf --digest SHA256
Step 3 (optional): Include a signing certificate
If you need to include a signing certificate with your CSR, you can include the --signing-cert
option. Make sure the specified signing certificate filename is located in the /etc/digicert/keystore/cert
directory.
For RSA keys with a signing certificate:
trustedge certificate --cert-sign-req --output-file CSR_RSA_2048.pem --signing-key RSA_2048.pem --signing-cert RSA_CERT_2048.pem --digest SHA256
For ECC keys with a signing certificate:
trustedge certificate --cert-sign-req --output-file CSR_ECC_P256.pem --signing-key ECC_P256.pem --signing-cert ECC_CERT_P256.pem --digest SHA256
Step 4: Verify the CSR
After generating the CSR, you can verify that the file was created by listing the contents of the directory:
trustedge certificate --print-cert /etc/digicert/keystore/req/CSR_ECC_P256.pem
This command will display the certificate request in a readable format.
What's next?
Submit your CSR to a certificate authority (CA) using EST or SCEP enrollment.