Format and standard for CSR

Viktor Dukhovni openssl-users at
Thu Aug 29 10:37:28 UTC 2019

> On Aug 28, 2019, at 9:30 PM, Blumenthal, Uri - 0553 - MITLL <uri at> wrote:
>>> Do you have an ASN.1 definition fit the content of CSR, or are you willing to create one?
>> For now working with ASN.1.
> In that case, I would use one of the available defined standards, which are well-supported by already existing Open Source software.

CSRs are signed objects (proof of possession).  The signature is
over the DER form of the RequestInfo.  Therefore, the only natural
encoding for CSR is DER, or base64-encoded DER wrapped in PEM
ASCII armour.

Adding X.509 extensions to CSRs is sadly rather more complex than
one might have hoped for, but that's only an issue if you have to
write low-level library code to construct CSRs.  If you have such
a library, just serialize to DER and you're done.


More information about the openssl-users mailing list