Category: Certificate Signing Requests (CSR)
Complexity: (Medium)
Prerequisites: Key pair available
Estimated Time: 5-10 minutes </WRAP> —- ===== Description ===== This scenario describes creating a Certificate Signing Request (CSR) for a client certificate. Client certificates are used for mTLS authentication, smart card login, or API access. What is created: * ML-DSA-65 key pair * CSR with client DN and extensions * Extended Key Usage: clientAuth Use cases: * mTLS API authentication * VPN access * Smart Card / PIV * Service-to-service communication —- ===== Difference Server vs. Client CSR ===== ^ Aspect ^ Server CSR ^ Client CSR ^ | Extended Key Usage | serverAuth | clientAuth | | Subject | DNS name (CN) | User/service name | | SAN | DNS names, IPs | Email, UPN | | Key Usage | digitalSignature, keyEncipherment | digitalSignature | —- ===== Code Example (C#) ===== <code csharp> using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ; using var ctx = PqCryptoContext.Initialize(); Key pair for client using var clientKey = ctx.GenerateKeyPair(PqAlgorithm.MlDsa65); DN for user or service var dn = new DnBuilder() .AddCN(„John Doe“) or service name .AddO(„Example GmbH“) .AddOU(„Development“) .AddC(„DE“) .AddEmail(„john.doe@example.com“) .Build(); Extensions for client certificate var extensions = new ExtBuilder() .SubjectAlternativeName(new[] { „email:john.doe@example.com“, „upn:john.doe@example.local“ Windows UPN }) .KeyUsage(KeyUsageFlags.DigitalSignature) .ExtendedKeyUsage(ExtKeyUsage.ClientAuth) .Build(); Create CSR var csr = ctx.CreateCertificateRequest(clientKey, dn, extensions); Save File.WriteAllText(„client.csr.pem“, csr.ToPem()); File.WriteAllText(„client.key.pem“, clientKey.ToEncryptedPem(„ClientPassword!“)); Console.WriteLine(„Client CSR created“); Console.WriteLine($„Subject: {csr.Subject}“); </code> —- ===== Service Account CSR ===== For service-to-service communication: <code csharp> var dn = new DnBuilder() .AddCN(„payment-service“) .AddO(„Example GmbH“) .AddOU(„Microservices“) .Build(); var extensions = new ExtBuilder() .SubjectAlternativeName(new[] { „dns:payment-service.internal“, „dns:payment-service.prod.svc.cluster.local“ Kubernetes }) .KeyUsage(KeyUsageFlags.DigitalSignature) .ExtendedKeyUsage(ExtKeyUsage.ClientAuth) .Build(); </code> —- ===== Parameters ===== ==== Extended Key Usage for Clients ==== ^ OID ^ Name ^ Usage ^ | 1.3.6.1.5.5.7.3.2 | clientAuth | mTLS client | | 1.3.6.1.4.1.311.20.2.2 | smartcardLogon | Windows Smart Card | | 1.3.6.1.5.5.7.3.4 | emailProtection | S/MIME (optional) | —- ===== Related Scenarios ===== ^ Relationship ^ Scenario ^ Description ^ | Next Step | 3.2 Client Certificate | Sign CSR by CA | | Related | 9.1 mTLS Client Auth | Use certificate | | Alternative** | 2.1 Server CSR | For servers |

« <- 2.1 Server CSR | ^ CSR Overview | 2.3 Multi-SAN CSR -> »

Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional