Format and standard for CSR
Robert Moskowitz
rgm at htt-consult.com
Wed Aug 28 14:25:37 UTC 2019
Peter, thank you for the response.
On 8/28/19 10:09 AM, Bowen, Peter wrote:
> I think you want RFC 2986 (https://tools.ietf.org/html/rfc2986 ). That is the most recent "PKCS #10" specification that I have seen and should align with what `openssl req` creates. Adding '-outform DER' to your command will output in DER; the default output is PEM which is defined in RFC 7468 (https://tools.ietf.org/html/rfc7468 ).
This will be within a HIP registration exchange (rfc 8003), so PKCS #10
in DER seems best.
> Depending on your use case, you may want to consider using a SPKAC formatted request instead. See `openssl spkac` and https://en.wikipedia.org/wiki/SPKAC for more info.
Considering the process, the PKCS10 fits better.
thanks for the references.
>
> On 8/28/19, 6:49 AM, "openssl-users on behalf of Robert Moskowitz" <openssl-users-bounces at openssl.org on behalf of rgm at htt-consult.com> wrote:
>
> I am writing an Internet Draft that will include transmission of a CSR,
> so I need to reference the proper source. No more sloppy, "well it
> works...".
>
> Some digging said it is in PKCS#10 - CSR. But I did not stop with that.
>
> A bit more googling lead me to RFC 4211...
>
> When I create a CSR with:
>
> openssl req -config openssl-intermediate.cnf\
> -key ./private/client.key.pem \
> -subj "$DN" -new -out ./csr/client.csr.pem
>
> What format is this? Are there better, more concise formats (e.g. DER?)
> for transmission over constrained networks?
>
> I can dump it with
>
> openssl req -text -noout -verify -in ./csr/client.csr.pem
>
> But that does not really tell me the format, only what is in the cert.
>
> Thanks
>
>
>
More information about the openssl-users
mailing list