brain initiation

20231108115553-csr.org

@@ -0,0 +1,11 @@
+:PROPERTIES:
+:ID:       f2991e03-0c05-490e-a0d1-dda24c7e58e6
+:END:
+#+title:  CSR
+
+In public key infrastructure (PKI) systems, a certificate signing request (CSR or certification request) is a message sent from an applicant to a [[id:89d22755-3547-4b92-8933-c31aa3f9cb12][certificate_authority]] of the public key infrastructure (PKI) in order to apply for a digital identity [[id:e28dfeaa-876b-4255-a25e-dcc0c909d08a][certificate]]. The CSR usually contains the public key for which the certificate should be issued, identifying information (such as a domain name) and a proof of authenticity including integrity protection (e.g., a digital signature). The most common format for CSRs is the PKCS 10 specification; others include the more capable Certificate Request Message Format (CRMF) and the SPKAC (Signed Public Key and Challenge) format generated by some web browsers.
+
+* procedure
+Before creating a CSR for an X.509 certificate, the applicant first generates a key pair, keeping the private key of that pair secret. The CSR contains information identifying the applicant (such as a distinguished name), the public key chosen by the applicant, and possibly further information. When using the PKCS 10 format, the request must be [[id:eff86d3a-1ae2-4b92-8c6d-c87c16553253][self_signed_certificate]] using the applicant's private key, which provides proof-of-possession of the private key but limits the use of this format to keys that can be used for signing. The CSR should be accompanied by a proof of origin (i.e., proof of identity of the applicant) that is required by the certificate authority, and the certificate authority may contact the applicant for further information.
+
+Typical information required in a CSR (sample column from sample X.509 certificate). Note that there are often alternatives for the Distinguished Names (DN), the preferred value is listed.