~~NOTOC~~
====== 2. Certificate Signing Requests (CSR) ======

<WRAP round info>
**Scenarios:** 4 \\
**FFI Functions:** ~25 \\
**Status:** Planned
</WRAP>

This category covers all scenarios for creating and processing Certificate Signing Requests (CSR). From simple server requests to complex multi-SAN requests.

----

===== Scenarios =====

^  ID  ^  Scenario  ^  Description  ^  Complexity  ^  Status  ^
| [[.:csr_server|2.1]] | Create Server CSR | CSR for TLS server certificate | ** | Planned |
| [[.:csr_client|2.2]] | Create Client CSR | CSR for client authentication | ** | Planned |
| [[.:csr_multi_san|2.3]] | Multi-SAN CSR | CSR with multiple Subject Alternative Names | *** | Planned |
| [[.:csr_verarbeiten|2.4]] | Process CSR | Validate, check, sign CSR | *** | Planned |

----

===== Workflow =====

<mermaid>
flowchart LR
    subgraph CLIENT["Requester"]
        K[Generate key pair]
        C[Create CSR]
        S[Sign CSR]
    end

    subgraph CA["Certificate Authority"]
        V[Validate CSR]
        P[Check policy]
        I[Issue certificate]
    end

    K --> C --> S --> V --> P --> I

    style K fill:#e3f2fd
    style I fill:#e8f5e9
</mermaid>

----

===== CSR Contents =====

^  Field  ^  Description  ^  Example  ^
| Subject | Distinguished Name | CN=server.example.com, O=Org, C=DE |
| Public Key | ML-DSA-65 or Hybrid | SPKI-encoded |
| Attributes | Requested extensions | SAN, Key Usage |
| Signature | Proof of private key possession | Self-signed |

----

===== Quick Start Code =====

<code csharp>
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;

using var ctx = PqCryptoContext.Initialize();

// Key pair for server
using var serverKey = ctx.GenerateKeyPair(PqAlgorithm.MlDsa65);

// Create CSR
var csr = ctx.CreateCertificateRequest(
    serverKey,
    new DnBuilder().AddCN("server.example.com").AddO("My Org").Build(),
    extensions: new ExtBuilder()
        .SubjectAlternativeName(new[] { "server.example.com", "www.example.com" })
        .KeyUsage(KeyUsageFlags.DigitalSignature | KeyUsageFlags.KeyEncipherment)
        .ExtendedKeyUsage(ExtKeyUsage.ServerAuth)
        .Build()
);

// Save CSR as PEM
File.WriteAllText("server.csr.pem", csr.ToPem());
</code>

-> //Complete example:// [[.:csr_server|Scenario 2.1]]

----

===== Related Categories =====

^  Category  ^  Relationship  ^
| [[.:pki:start|1. PKI Infrastructure]] | CA to sign the CSRs |
| [[.:zertifikate:start|3. Issue Certificates]] | CSR becomes certificate |
| [[.:schluessel:start|11. Key Management]] | Manage CSR private key |

----

<< [[en:int:pqcrypt:szenarien:pki:start|<- 1. PKI Infrastructure]] | [[en:int:pqcrypt:szenarien:start|^ Scenarios]] | [[.:zertifikate:start|3. Issue Certificates ->]] >>

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//

{{tag>category csr certificate-request request}}