====== Scenario 2.2: Create Client CSR ======

<WRAP round info>
**Category:** [[.:start|Certificate Signing Requests (CSR)]] \\
**Complexity:** ** (Medium) \\
**Prerequisites:** Key pair available \\
**Estimated Time:** 5-10 minutes
</WRAP>

----

===== Description =====

This scenario describes creating a **Certificate Signing Request (CSR)** for a client certificate. Client certificates are used for mTLS authentication, smart card login, or API access.

**What is created:**
  * ML-DSA-65 key pair
  * CSR with client DN and extensions
  * Extended Key Usage: clientAuth

**Use cases:**
  * mTLS API authentication
  * VPN access
  * Smart Card / PIV
  * Service-to-service communication

----

===== Difference Server vs. Client CSR =====

^  Aspect  ^  Server CSR  ^  Client CSR  ^
| Extended Key Usage | serverAuth | clientAuth |
| Subject | DNS name (CN) | User/service name |
| SAN | DNS names, IPs | Email, UPN |
| Key Usage | digitalSignature, keyEncipherment | digitalSignature |

----

===== Code Example (C#) =====

<code csharp>
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;

using var ctx = PqCryptoContext.Initialize();

// Key pair for client
using var clientKey = ctx.GenerateKeyPair(PqAlgorithm.MlDsa65);

// DN for user or service
var dn = new DnBuilder()
    .AddCN("John Doe")           // or service name
    .AddO("Example GmbH")
    .AddOU("Development")
    .AddC("DE")
    .AddEmail("john.doe@example.com")
    .Build();

// Extensions for client certificate
var extensions = new ExtBuilder()
    .SubjectAlternativeName(new[] {
        "email:john.doe@example.com",
        "upn:john.doe@example.local"  // Windows UPN
    })
    .KeyUsage(KeyUsageFlags.DigitalSignature)
    .ExtendedKeyUsage(ExtKeyUsage.ClientAuth)
    .Build();

// Create CSR
var csr = ctx.CreateCertificateRequest(clientKey, dn, extensions);

// Save
File.WriteAllText("client.csr.pem", csr.ToPem());
File.WriteAllText("client.key.pem", clientKey.ToEncryptedPem("ClientPassword!"));

Console.WriteLine("Client CSR created");
Console.WriteLine($"Subject: {csr.Subject}");
</code>

----

===== Service Account CSR =====

For service-to-service communication:

<code csharp>
var dn = new DnBuilder()
    .AddCN("payment-service")
    .AddO("Example GmbH")
    .AddOU("Microservices")
    .Build();

var extensions = new ExtBuilder()
    .SubjectAlternativeName(new[] {
        "dns:payment-service.internal",
        "dns:payment-service.prod.svc.cluster.local"  // Kubernetes
    })
    .KeyUsage(KeyUsageFlags.DigitalSignature)
    .ExtendedKeyUsage(ExtKeyUsage.ClientAuth)
    .Build();
</code>

----

===== Parameters =====

==== Extended Key Usage for Clients ====

^  OID  ^  Name  ^  Usage  ^
| 1.3.6.1.5.5.7.3.2 | clientAuth | mTLS client |
| 1.3.6.1.4.1.311.20.2.2 | smartcardLogon | Windows Smart Card |
| 1.3.6.1.5.5.7.3.4 | emailProtection | S/MIME (optional) |

----

===== Related Scenarios =====

^  Relationship  ^  Scenario  ^  Description  ^
| **Next Step** | [[en:int:pqcrypt:szenarien:zertifikate:client_cert|3.2 Client Certificate]] | Sign CSR by CA |
| **Related** | [[en:int:pqcrypt:szenarien:authentifizierung:mtls_client_auth|9.1 mTLS Client Auth]] | Use certificate |
| **Alternative** | [[.:csr_server|2.1 Server CSR]] | For servers |

----

<< [[.:csr_server|<- 2.1 Server CSR]] | [[.:start|^ CSR Overview]] | [[.:csr_multi_san|2.3 Multi-SAN CSR ->]] >>

{{tag>scenario csr client mtls authentication}}

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//