How to generate CSR?

I run letsencrypt SSL cert successfully, How can I use the cert to generate CSR for our Digital Signature project?

Need advise

Thanks

A “CSR” is a Certificate Signing Request.
Essentially a request to have a cert signed by a public authority.
If you have an LE cert, you have already completed that process.

I don’t see how you could use an already signed cert as a CSR and thus request it to be signed by another authority and somehow have that resolve your problem within your “Digital Signature project”.

Perhaps I just don’t understand your project.
Maybe you care to explain what the project is about and how it will use LE cert(s).

1 Like

You can do that using openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key. But I’m similarly confused why you’d want to.

See:
https://www.sslshopper.com/article-most-common-openssl-commands.html

2 Likes

Hi all,

Thanks for your reply, yes we are in the progress developing a digital signature project, so everyone in my domain would have their own CSR based on Letsencrypt SSL, this is the scenario:
User signing a pdf file and I would give them CSR and Pfx based on our domain letsencrypt cert.

What we had now is Letsencrypt cert, .pem files.
I don’t know whether this is possible or not using letsencrypt.

Need advise.

Thanks

1 Like

This is frankly nonsensical. A CSR is based on a private key that only you have, and certain data that you want the signing authority to authenticate. It's used so that the CA can validate your control of the private key, without having the private key themselves. While the CSR could be generated by a Let's Encrypt client, the CSR has nothing whatsoever to do with Let's Encrypt.

It's apparently pretty simple to generate a CSR if you have both the cert and the private key, using the command I posted above. But I still don't see what good it will do for you.

2 Likes

What would the role of the CSR be with this 'user signing a PDF file' process? Because I'm not seeing it.

So I tried that with a cert and key I have: openssl x509 -x509toreq -in cert7.pem -out ~/csr.pem -signkey privkey7.pem. That generated a CSR:

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=pbx.familybrown.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c4:62:bf:c0:17:42:8c:2e:bb:47:d7:31:6f:17:
                    e4:51:b5:45:b9:f7:77:c0:e9:f4:08:58:9d:0b:3f:
                    0c:11:04:7e:88:fe:ab:44:b0:62:47:c7:53:bb:0e:
                    21:91:45:51:32:73:64:9b:28:d4:1e:43:86:08:75:
                    fd:82:a9:99:64:18:a7:9c:dc:37:2c:41:c5:c8:1a:
                    3d:ac:35:18:16:00:67:a3:ee:b7:bf:60:bc:40:a1:
                    38:20:01:d5:f7:9f:04:7a:f6:b3:cc:b4:18:25:68:
                    d8:7a:12:5e:7c:4a:4b:c6:8d:c4:68:46:6b:19:a5:
                    6b:01:fe:4c:be:aa:55:54:c2:d3:c9:e9:4b:e3:97:
                    98:8b:35:ef:5b:52:a4:6e:95:86:08:75:96:c2:73:
                    3e:8f:11:24:d0:fd:93:e3:7a:aa:62:e6:e7:50:03:
                    ac:39:22:da:8c:92:1f:d4:20:1d:2f:20:2b:96:cc:
                    6e:a7:c0:47:b8:35:bd:df:2a:43:91:06:d1:42:11:
                    6e:38:b2:bc:e5:7e:cc:06:ca:d6:de:7e:65:cc:45:
                    2d:1e:83:88:b5:f0:72:a4:c7:6b:a8:35:50:6e:d4:
                    13:6c:fc:03:16:a6:14:76:22:d3:7a:6f:fe:15:ed:
                    0c:79:95:f4:59:76:20:fd:84:cf:2f:c7:49:db:6b:
                    9f:ad
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         8b:63:e9:92:5e:fa:d2:f6:42:42:08:52:84:1c:64:8e:90:15:
         f0:d5:dd:ff:56:fb:25:b5:e2:25:be:9b:28:ba:54:c0:07:2b:
         d3:88:8d:ae:55:3c:b1:86:23:86:78:07:ff:52:f5:ec:5f:2c:
         28:c4:2e:63:cc:37:91:8c:d2:82:83:00:67:5a:c3:56:24:f3:
         e6:16:b4:5a:a0:6b:b0:9d:3c:11:7c:18:31:73:69:08:62:51:
         7c:a8:75:6d:c0:79:8c:ed:bb:e1:d5:b4:5e:48:3a:17:e1:80:
         1e:48:cf:26:88:da:66:46:ca:b8:56:3c:85:01:e0:78:de:33:
         3a:b9:2c:fa:5b:12:24:f4:90:21:13:43:63:57:ad:aa:85:20:
         fb:49:b4:81:b8:b7:1f:68:3b:e5:c8:be:83:ea:9c:1d:3f:74:
         10:9e:2c:0e:20:06:59:e8:4e:77:00:cd:0b:d7:0d:37:45:83:
         87:82:05:c3:d8:d6:a9:e7:c0:38:c8:d3:95:49:4e:ae:35:56:
         3a:bc:9e:e8:0c:ec:af:99:0f:9e:33:aa:01:17:b3:3c:d5:e0:
         2a:8e:36:a8:83:2c:c6:63:50:a1:61:2e:20:79:13:b2:95:b0:
         1d:c0:47:ec:50:82:20:c8:3d:16:89:86:42:94:e3:a6:ce:7d:
         0b:f1:82:62
-----BEGIN CERTIFICATE REQUEST-----
MIICYzCCAUsCAQAwHjEcMBoGA1UEAxMTcGJ4LmZhbWlseWJyb3duLm9yZzCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRiv8AXQowuu0fXMW8X5FG1Rbn3
d8Dp9AhYnQs/DBEEfoj+q0SwYkfHU7sOIZFFUTJzZJso1B5Dhgh1/YKpmWQYp5zc
NyxBxcgaPaw1GBYAZ6Put79gvEChOCAB1fefBHr2s8y0GCVo2HoSXnxKS8aNxGhG
axmlawH+TL6qVVTC08npS+OXmIs171tSpG6Vhgh1lsJzPo8RJND9k+N6qmLm51AD
rDki2oySH9QgHS8gK5bMbqfAR7g1vd8qQ5EG0UIRbjiyvOV+zAbK1t5+ZcxFLR6D
iLXwcqTHa6g1UG7UE2z8AxamFHYi03pv/hXtDHmV9Fl2IP2Ezy/HSdtrn60CAwEA
AaAAMA0GCSqGSIb3DQEBCwUAA4IBAQCLY+mSXvrS9kJCCFKEHGSOkBXw1d3/Vvsl
teIlvpsoulTAByvTiI2uVTyxhiOGeAf/UvXsXywoxC5jzDeRjNKCgwBnWsNWJPPm
FrRaoGuwnTwRfBgxc2kIYlF8qHVtwHmM7bvh1bReSDoX4YAeSM8miNpmRsq4VjyF
AeB43jM6uSz6WxIk9JAhE0NjV62qhSD7SbSBuLcfaDvlyL6D6pwdP3QQniwOIAZZ
6E53AM0L1w03RYOHggXD2Nap58A4yNOVSU6uNVY6vJ7oDOyvmQ+eM6oBF7M81eAq
jjaogyzGY1ChYS4geROylbAdwEfsUIIgyD0WiYZClOOmzn0L8YJi
-----END CERTIFICATE REQUEST-----

As you see (because this file contains both the PEM-encoded request and the cleartext representation of it), the CSR, which was generated from a Let's Encrypt-generated cert, contains absolutely no reference to Let's Encrypt. So how do you expect to use this? And what benefit do you get from generating a CSR in this very roundabout fashion, vs. just running openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key to create the CSR and private key?

2 Likes

I think we have lost sight of (or have never clearly seen) your objective.
The “solution” you are trying to implement to it doesn’t seem to get you any closer to your desired outcome.

You need to begin a t the beginning and design a solution that actually can solve your problem.

That said, from what I can… guess, it seems that you want to sign PDF documents with some sort of global authority “stamp” of approval / “tamperproof seal”.
I don’t think LE can be twisted into such a shape.
But this is certainly the right place to discuss such topics / ideas.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.