Format and standard for CSR

Robert Moskowitz rgm at
Wed Aug 28 23:13:15 UTC 2019

Uri, Greetings!

On 8/28/19 6:09 PM, Blumenthal, Uri - 0553 - MITLL wrote:
> Do you have an ASN.1 definition fit the content of CSR, or are you 
> willing to create one?

For now working with ASN.1.

> IMHO, DER would be a pretty good choice, fat better than something 
> home-brewed and non-standard.

take a look at rfc 7049.  This is the standard for data objects over 
constrained networks.  Then look at


For work being done to define by a good team to meld x.509 stuff with CBOR.

"The wonderful thing about standards is there are so many to choose from."

There was a reference point to Grace Hopper saying this in '58.

> Regards,
> Uri
> Sent from my iPhone
> On Aug 28, 2019, at 17:49, Robert Moskowitz <rgm at 
> <mailto:rgm at>> wrote:
>> CSR is an object in a container that goes over a 'wire'. Sometimes 
>> the wire is very small (BT4) so the container needs to be tightly 
>> designed.
>> It should be a standard, not something totally off the wall.  Well I 
>> could do it in CBOR, and probably will at some point, but for now 
>> something more common in PKIX world should work.
>> Mangle it, stuff it down the wire, de-mangle it and use it. For now I 
>> am referencing RFC 2986.
>> What do you suggest.  Please reference documents that can be 
>> referenced in the document.
>> Thanks
>> On 8/28/19 5:23 PM, Michael Sierchio wrote:
>>> I don't see the point in DER encoding for a CSR – The RA and CA 
>>> decide the composition of the cert, based on the rules and CPA that 
>>> they follow, and of course any cert issued will be in DER format, 
>>> and may include reordering or modified/expanded extensions and key 
>>> use restrictions.  A CSR is basically an assertion that includes 
>>> pubkey, proof of possession of the private key, and any request 
>>> elements required by policy.  It's a one-time document that needs to 
>>> be validated precisely once.
>>> On Wed, Aug 28, 2019 at 6:49 AM Robert Moskowitz 
>>> <rgm at <mailto:rgm at>> wrote:
>>>     I am writing an Internet Draft that will include transmission of
>>>     a CSR,
>>>     so I need to reference the proper source.  No more sloppy, "well it
>>>     works...".
>>>     Some digging said it is in PKCS#10 - CSR.  But I did not stop
>>>     with that.
>>>     A bit more googling lead me to RFC 4211...
>>>     When I create a CSR with:
>>>         openssl req -config openssl-intermediate.cnf\
>>>             -key ./private/client.key.pem \
>>>             -subj "$DN" -new -out ./csr/client.csr.pem
>>>     What format is this?  Are there better, more concise formats
>>>     (e.g. DER?)
>>>     for transmission over constrained networks?
>>>     I can dump it with
>>>         openssl req -text -noout -verify -in ./csr/client.csr.pem
>>>     But that does not really tell me the format, only what is in the
>>>     cert.
>>>     Thanks
>>> -- 
>>> "Well," Brahmā said, "even after ten thousand explanations, a fool 
>>> is no wiser, but an intelligent person requires only two thousand 
>>> five hundred."
>>> - The Mahābhārata

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list