====== Create CSR ======

Compact examples for Certificate Signing Requests. -> **Details:** [[en:int:pqcrypt:szenarien:csr:start|CSR Scenarios]]

----

===== Server CSR (TLS) =====

<code csharp>
using var ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP384);

var dn = new X500DistinguishedNameBuilder();
dn.AddCommonName("api.example.com");
dn.AddOrganizationName("Example Corp");

var csr = new CertificateRequest(dn.Build(), ecdsa, HashAlgorithmName.SHA384);

// SANs
var sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddDnsName("api.example.com");
sanBuilder.AddDnsName("www.example.com");
csr.CertificateExtensions.Add(sanBuilder.Build());

// Key Usage
csr.CertificateExtensions.Add(
    new X509KeyUsageExtension(
        X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment, true));

// EKU: Server Auth
csr.CertificateExtensions.Add(
    new X509EnhancedKeyUsageExtension(
        new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false));

var csrBytes = csr.CreateSigningRequest();
</code>

-> **Details:** [[en:int:pqcrypt:szenarien:csr:csr_server|Server CSR]]

----

===== Client CSR (mTLS) =====

<code csharp>
using var mlDsa = MlDsaSigner.Create(MlDsaParameterSet.MlDsa65);

var dn = new X500DistinguishedNameBuilder();
dn.AddCommonName("client-app-001");

var csr = new CertificateRequest(dn.Build(), mlDsa, HashAlgorithmName.SHA384);

csr.CertificateExtensions.Add(
    new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature, true));
csr.CertificateExtensions.Add(
    new X509EnhancedKeyUsageExtension(
        new OidCollection { new Oid("1.3.6.1.5.5.7.3.2") }, false)); // clientAuth
</code>

-> **Details:** [[en:int:pqcrypt:szenarien:csr:csr_client|Client CSR]]

----

===== Code Signing CSR =====

<code csharp>
var dn = new X500DistinguishedNameBuilder();
dn.AddCommonName("Example Corp Code Signing");

var csr = new CertificateRequest(dn.Build(), mlDsa, HashAlgorithmName.SHA384);

csr.CertificateExtensions.Add(
    new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature, true));
csr.CertificateExtensions.Add(
    new X509EnhancedKeyUsageExtension(
        new OidCollection { new Oid("1.3.6.1.5.5.7.3.3") }, true)); // codeSigning
</code>

----

===== CSR Types =====

^  Type  ^  Key Usage  ^  EKU OID  ^
| Server | digitalSignature, keyEncipherment | 1.3.6.1.5.5.7.3.1 (serverAuth) |
| Client | digitalSignature | 1.3.6.1.5.5.7.3.2 (clientAuth) |
| S/MIME | digitalSignature, keyEncipherment | 1.3.6.1.5.5.7.3.4 (emailProtection) |
| Code Signing | digitalSignature | 1.3.6.1.5.5.7.3.3 (codeSigning) |

----

<< [[.:start|<- Quick Reference]] | [[en:int:pqcrypt:szenarien:csr:start|-> CSR Scenarios (Details)]] >>

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//

{{tag>quickreference csr server client code-signing}}