Format and standard for CSR

Michael Sierchio kudzu at
Wed Aug 28 21:23:01 UTC 2019

I don't see the point in DER encoding for a CSR – The RA and CA decide the
composition of the cert, based on the rules and CPA that they follow, and
of course any cert issued will be in DER format, and may include reordering
or modified/expanded extensions and key use restrictions.  A CSR is
basically an assertion that includes pubkey, proof of possession of the
private key, and any request elements required by policy.  It's a one-time
document that needs to be validated precisely once.

On Wed, Aug 28, 2019 at 6:49 AM Robert Moskowitz <rgm at>

> I am writing an Internet Draft that will include transmission of a CSR,
> so I need to reference the proper source.  No more sloppy, "well it
> works...".
> Some digging said it is in PKCS#10 - CSR.  But I did not stop with that.
> A bit more googling lead me to RFC 4211...
> When I create a CSR with:
>     openssl req -config openssl-intermediate.cnf\
>         -key ./private/client.key.pem \
>         -subj "$DN" -new -out ./csr/client.csr.pem
> What format is this?  Are there better, more concise formats (e.g. DER?)
> for transmission over constrained networks?
> I can dump it with
>     openssl req -text -noout -verify -in ./csr/client.csr.pem
> But that does not really tell me the format, only what is in the cert.
> Thanks


"Well," Brahmā said, "even after ten thousand explanations, a fool is no
wiser, but an intelligent person requires only two thousand five hundred."

- The Mahābhārata
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list