Certificate Signing Requests

Certificate signing requests are described in PKCS#10 standard. They are used to supply a Certification Authority with the needed information to issue a valid certificate without knowing the private key. This includes personal information, the public key and additional extensions.

It is not necessary to generate a request prior to signing it by your CA or before self-signing it. Simply start generating the certificate directly. People using the OpenSSL command line tools are used to generate a request with “openssl req -new … and then signing it. This is not necessary with XCA.

Tracking signed CSR with XCA can be done by the Signed and Certificate count columns of the certificate signing request tab. The Signed column is an information stored in the database whenever a CSR was used to issue a certificate. Also an automatic comment is left in the comment of the CSR in this case. It does not depend on the certificate remaining in the XCA database. The Certificate count column on the other hand displays the number of currently available certificates with the same public key in the database.

Generating a new Request

After clicking on the New Request button, the Certificate dialog will be started to ask all needed information for generating a new Request. See: Certificate Input Dialog

The request generation can also be invoked by the context menu of a certificate Transform->Request. This menu point is only available if the private key of the certificate is available.

In this case all needed data is copied from the certificate and the Certificate dialog is not invoked.

Request Export

Requests can be exported by the context-menu or by the button on the right.

  • Clipboard Writes all selected requests in PEM format to the Clipboard.

  • File: Write the request into a file. The filename can be selected in the export dialog and the Export format:

  • PEM: (*.csr) PEM Text format with headers

  • DER: (*.der) Binary DER format of the certificate request

  • OpenSSL config: (*.conf) OpenSSL configuration file to create a certificate or request with the openssl commandline tool

The OpenSSL config file format can be used to generate a similar request with openssl openssl req -new -config <file>

Request Transformation

A request transformation creates a new database entry based on the selected request

  • Template Create an XCA template with the values of the request.

  • Public Key Extract the public key from the request and store it in the Private Keys Tab.

  • Similar Request Starts the Certificate input dialog preset with all values from the current request to create a new request.

Request Details

All information contained in the request are shown. If the key-store contains the private key corresponding to the request the keys internal name is shown in the Key field, which can be clicked to show it.