Certificate - CSR, CA Signing , how it works

 https://www.globalsign.com/en-sg/blog/what-is-a-certificate-signing-request-csr

https://en.wikipedia.org/wiki/Certificate_signing_request

What is certificate sign request(CSR)

Procedure

[edit]

Before creating a CSR for an X.509 certificate, the applicant first generates a key pair, keeping the private key of that pair secret, e.g.:

# https://www.openssl.org/docs/manmaster/man1/openssl-genrsa.html
# "openssl genrsa" creates an RSA private key:

$ openssl genrsa -out 2024_wikipedia.org.key

The CSR contains information identifying the applicant (such as a distinguished name), the public key chosen by the applicant, and possibly further information. When using the PKCS #10 format, the request must be self-signed using the applicant's private key, which provides proof-of-possession of the private key but limits the use of this format to keys that can be used for (some form of) signing. The CSR should be accompanied by a proof of origin (i.e., proof of identity of the applicant) that is required by the certificate authority, and the certificate authority may contact the applicant for further information.

Typical information required in a CSR (sample column from sample X.509 certificate). Note that there are often alternatives for the Distinguished Names (DN), the preferred value is listed.

DN[2]	Information	Description	Sample
CN	Common Name	This is fully qualified domain name that you wish to secure	*.wikipedia.org
O	Organization Name	Usually the legal name of a company or entity and should include any suffixes such as Ltd., Inc., or Corp.	Wikimedia Foundation, Inc.
OU	Organizational Unit	Internal organization department/division name	IT
L	Locality	Town, city, village, etc. name	San Francisco
ST	State	Province, region, county or state. This should not be abbreviated (e.g. West Sussex, Normandy, New Jersey).	California
C	Country	The two-letter ISO code for the country where your organization is located	US
EMAIL	Email Address	The organization contact, usually of the certificate administrator or IT department

This sample command line uses the details as listed in the table above:

# https://www.openssl.org/docs/manmaster/man1/openssl-req.html
# "openssl req" creates a signing request:

$ openssl req -sha512 -new -subj "/C=US/ST=California/L=San Francisco/O=Wikimedia Foundation, Inc./CN=*.wikipedia.org" -key 2024_wikipedia.org.key -out 2024_wikipedia.org.csr

This CSR(cert) need to signed by CA's private key , so installed browser has CA' public key to verify CA, then browser send receive server certificate, create a session key using server public key:

https://www.blogger.com/blog/post/edit/2746942211977437381/9146858904040583558

The client sends session key information, encrypted with the server's public key.

The server decrypts the data sent using its private key. The data is used to create a symmetric key.

The client sends its digital certificate, which includes its public key.

The client sends "Certificate Verify" message, which is signed using its private key.

The server verifies the client's certificate and "Certificate Verify" message using the client's public key.

The client and the server exchange "Finished" messages, encrypted with the symmetric key.

CA sign CSR

https://www.ibm.com/docs/en/license-metric-tool?topic=certificate-step-2-signing-certificates

openssl x509 -signkey path_to_CA_key.key -days 

number_of_days -req -in path_to_CA_csr.csr 

-out CA_certificate_name.arm -sha256