Format and standard for CSR

Robert Moskowitz rgm at
Wed Aug 28 21:48:41 UTC 2019

CSR is an object in a container that goes over a 'wire'.   Sometimes the 
wire is very small (BT4) so the container needs to be tightly designed.

It should be a standard, not something totally off the wall.  Well I 
could do it in CBOR, and probably will at some point, but for now 
something more common in PKIX world should work.

Mangle it, stuff it down the wire, de-mangle it and use it.  For now I 
am referencing RFC 2986.

What do you suggest.  Please reference documents that can be referenced 
in the document.


On 8/28/19 5:23 PM, Michael Sierchio wrote:
> I don't see the point in DER encoding for a CSR – The RA and CA decide 
> the composition of the cert, based on the rules and CPA that they 
> follow, and of course any cert issued will be in DER format, and may 
> include reordering or modified/expanded extensions and key use 
> restrictions.  A CSR is basically an assertion that includes pubkey, 
> proof of possession of the private key, and any request elements 
> required by policy.  It's a one-time document that needs to be 
> validated precisely once.
> On Wed, Aug 28, 2019 at 6:49 AM Robert Moskowitz <rgm at 
> <mailto:rgm at>> wrote:
>     I am writing an Internet Draft that will include transmission of a
>     CSR,
>     so I need to reference the proper source.  No more sloppy, "well it
>     works...".
>     Some digging said it is in PKCS#10 - CSR.  But I did not stop with
>     that.
>     A bit more googling lead me to RFC 4211...
>     When I create a CSR with:
>         openssl req -config openssl-intermediate.cnf\
>             -key ./private/client.key.pem \
>             -subj "$DN" -new -out ./csr/client.csr.pem
>     What format is this?  Are there better, more concise formats (e.g.
>     DER?)
>     for transmission over constrained networks?
>     I can dump it with
>         openssl req -text -noout -verify -in ./csr/client.csr.pem
>     But that does not really tell me the format, only what is in the cert.
>     Thanks
> -- 
> "Well," Brahmā said, "even after ten thousand explanations, a fool is 
> no wiser, but an intelligent person requires only two thousand five 
> hundred."
> - The Mahābhārata

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list