Category: Certificate Signing Requests (CSR)
Complexity: (Medium)
Prerequisites: Key pair available
Estimated Time: 5-10 minutes </WRAP> —- ===== Description ===== This scenario describes creating a Certificate Signing Request (CSR) for a TLS server certificate. The CSR contains all information that a CA needs to issue a server certificate. What is created: * ML-DSA-65 key pair (or hybrid) * CSR with server DN and extensions * Subject Alternative Names (SAN) for DNS names Use cases: * HTTPS web servers * API endpoints * Microservices with TLS —- ===== Workflow ===== <mermaid> flowchart LR KEY[Generate key pair] –> DN[Create DN] DN –> EXT[Set extensions] EXT –> CSR[Create CSR] CSR –> SIGN[Sign CSR] SIGN –> EXPORT[Export as PEM] style CSR fill:#e8f5e9 </mermaid> —- ===== Functions Involved ===== ^ Step ^ FFI Function ^ Description ^ | 1 | wvds_sec_crypto_x509_keypair_generate_mldsa(65) | Generate key pair | | 2 | wvds_sec_crypto_x509_dn_create() | Create DN handle | | 3 | wvds_sec_crypto_x509_dn_add_component() | Add CN, O, C | | 4 | wvds_sec_crypto_x509_ext_set_san_dns() | Add DNS names | | 5 | wvds_sec_crypto_x509_ext_set_key_usage() | digitalSignature, keyEncipherment | | 6 | wvds_sec_crypto_x509_ext_set_eku() | serverAuth | | 7 | wvds_sec_crypto_x509_csr_create() | Create CSR | | 8 | wvds_sec_crypto_x509_csr_sign() | Sign CSR with private key | | 9 | wvds_sec_crypto_x509_csr_to_pem() | Export as PEM | —- ===== Code Example (C#) ===== <code csharp> using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ; 1. Initialize context using var ctx = PqCryptoContext.Initialize(); 2. Generate key pair for server using var serverKey = ctx.GenerateKeyPair(PqAlgorithm.MlDsa65); 3. Distinguished Name var dn = new DnBuilder() .AddCN(„www.example.com“) .AddO(„Example GmbH“) .AddOU(„IT Department“) .AddC(„DE“) .AddL(„Munich“) .Build(); 4. Extensions for server certificate var extensions = new ExtBuilder() .SubjectAlternativeName(new[] { „www.example.com“, „example.com“, „api.example.com“ }) .KeyUsage(KeyUsageFlags.DigitalSignature | KeyUsageFlags.KeyEncipherment) .ExtendedKeyUsage(ExtKeyUsage.ServerAuth) .Build(); 5. Create and sign CSR var csr = ctx.CreateCertificateRequest(serverKey, dn, extensions); 6. Save as PEM File.WriteAllText(„server.csr.pem“, csr.ToPem()); File.WriteAllText(„server.key.pem“, serverKey.ToEncryptedPem(„SecurePassword123!“)); Console.WriteLine(„CSR created: server.csr.pem“); Console.WriteLine($„Subject: {csr.Subject}“); Console.WriteLine($„SANs: {string.Join(“, „, csr.SubjectAlternativeNames)}“); </code> —- ===== Parameters ===== ==== Subject Alternative Names ==== ^ Type ^ Prefix ^ Example ^ | DNS Name | dns: | www.example.com | | IP Address | ip: | 192.168.1.100 | | Email | email: | admin@example.com | | URI | uri: | https://example.com | ==== Key Usage for Server ==== ^ Flag ^ Description ^ Required ^ | digitalSignature | Sign TLS handshake | Yes | | keyEncipherment | RSA key exchange (not for ECDHE) | Optional | | keyAgreement | ECDH key exchange | Optional | —- ===== Output Files ===== ==== server.csr.pem ==== <code> —–BEGIN CERTIFICATE REQUEST—– MIICxjCCAi0CAQAwgYExCz… (Base64 DER) —–END CERTIFICATE REQUEST—– </code> ^ Field ^ Value ^ | Version | 1 (0x00) | | Subject | CN=www.example.com, O=Example GmbH, C=DE | | Public Key | ML-DSA-65 (~1,952 bytes) | | Attributes | Extension Request (SAN, Key Usage, EKU) | | Signature | ML-DSA-65 (Self-Proof-of-Possession) | —- ===== Common Errors ===== ^ Problem ^ Cause ^ Solution ^ | CSR rejected | CN not in SAN | Always add CN as SAN too | | CA does not accept CSR | Wrong format | Check PEM format | | Key Usage missing | Extensions not set | Use ExtBuilder | —- ===== Related Scenarios ===== ^ Relationship ^ Scenario ^ Description ^ | Next Step | 3.1 Server Certificate | Have CSR signed by CA | | Alternative | 2.3 Multi-SAN CSR | Multiple domains | | Related** | 2.2 Client CSR | For client authentication |

« <- CSR Overview | ^ Scenarios | 2.2 Client CSR -> »

Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional