How is CSR encrypted?

Question

Using openssl to generate a CSR:

> openssl req -newkey rsa:2048 -nodes -keyout key -out mycsr.csr

It outputs the mycsr.csr file along with the key file.

The content of mycsr.csr:

And to see the actual content:

> openssl req -text -noout -verify -in mycsr.csr

verify OK
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = EG, ST = Cairo, L = Sheraton, O = Foo, OU = FooIT, CN = www.foocompany.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:d6:70:22:0b:db:e8:53:8b:3e:b0:10:d6:b8:ff:
                    0c:8b:df:60:74:23:7d:85:0b:e2:2f:6a:5a:82:5a:
                    0e:c9:d0:ac:a8:34:64:19:37:8a:9f:1a:a4:2b:bc:
                    55:13:41:1d:82:88:0c:19:45:f5:79:59:6c:ec:46:
                    09:23:fe:a8:41:48:d0:47:6a:d2:29:86:99:a0:a9:
                    b9:79:59:ed:1b:c4:d2:4f:5e:d2:1d:42:a6:78:56:
                    65:6e:c6:9b:6f:ab:1c:76:c4:35:ef:ae:6e:e6:81:
                    bc:89:8f:e8:e5:f3:3b:58:6d:51:53:e3:12:ab:66:
                    c1:f8:8e:bc:a2:07:98:ea:7d:28:28:ae:ac:61:92:
                    07:59:ba:f0:ed:54:9e:86:08:a3:5d:4a:51:b8:c3:
                    64:64:16:d0:5e:4b:ca:a8:81:bd:ad:8c:5f:21:0e:
                    3b:3b:88:70:3e:b1:5c:3b:76:95:00:ca:29:dd:9b:
                    c2:fc:28:84:98:cb:71:27:0f:a5:7e:0d:bd:02:ba:
                    d0:35:bb:cd:c2:ba:96:ba:8f:4c:50:45:17:42:4d:
                    98:79:30:09:41:49:9e:f6:86:9a:81:b4:11:d7:4f:
                    06:cd:43:3f:44:0b:e4:2f:12:ed:da:01:4b:ac:3e:
                    cd:f8:59:9f:a8:e3:27:82:df:7d:a9:03:09:7a:55:
                    10:89
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         cb:82:a5:b0:4b:5c:f0:a9:45:a6:c9:6d:d2:16:de:cb:42:3e:
         2c:ee:61:86:e4:2f:46:38:bd:62:6f:74:fd:0e:59:ec:9f:73:
         b8:c3:b0:0b:4c:78:78:01:a8:46:82:02:0e:9f:e2:6c:32:30:
         60:1c:63:72:4e:2b:0c:df:89:a0:af:e1:bb:ac:8f:b4:ba:a9:
         d5:78:ab:8f:b5:88:fe:de:08:cc:a8:8e:b7:26:4f:47:95:30:
         de:86:f5:d3:ef:90:4f:36:a4:d2:6f:0b:84:bb:85:90:43:79:
         dd:d6:b7:09:e8:97:d5:15:e5:d1:aa:b2:e4:6f:d6:d6:fa:58:
         d0:59:53:cf:81:2d:e6:fc:37:27:8d:27:9b:e5:2a:de:56:33:
         00:8f:2c:67:c6:f7:d8:21:cf:34:e3:77:f7:c6:b9:ed:0f:25:
         87:96:1f:5c:74:a6:26:5b:d7:b4:b0:e5:1a:59:f0:24:1e:71:
         49:cf:61:f7:f0:fa:3b:a7:ea:89:cb:b1:aa:39:8c:85:c5:cc:
         0f:c9:d6:bd:3c:f6:9f:65:33:85:ef:6f:7b:16:7a:00:7b:48:
         12:b6:c8:ee:33:97:21:ff:fd:1f:22:36:7e:c9:26:c1:6f:e8:
         90:78:39:f8:64:36:ff:53:03:03:8f:9d:ca:8f:b3:92:07:15:
         d7:52:71:d3

How all these data got encoded (is this the right word?) in the base64 text? I'm not talking about the mathematical operations specifically, but using which techniques? is it encryption or hashing ..?

my definitions of:

Encryption: converting information into unreadable text using a key, the resulting text can be decrypted to the original text using the same key or another private key.

hashing: a one-way conversion of text into unreadable text.

signing: encrypting using the private key then hashing the resulting text.

So, when it says "RSA 2028" and "SHA256", do those terms mean anything to you or are they new terms? — schroeder, Aug 21 '20 at 20:13
And in the links to wiki and the RFP for CSRs in your last question, do they not answer your question? In the wiki article I linked, do you see where it talks about ASN.1? — schroeder, Aug 21 '20 at 20:14
RSA:2048 defines the key size, to my information the key doesn't play a role in the CSR generation. — mshwf, Aug 21 '20 at 20:20
**Signing is not encryption.** For RSA only, not the many other signature algorithms, signing is hashing and padding _then_ modexp with private key, which is vaguely like encryption, resulting in this description being used for a while four decades ago before people realized it was dangerously misleading; we have dozens of Qs and As on this. It is not at all like encrypting then hashing, not even vaguely. — dave_thompson_085, Aug 22 '20 at 03:48

Steffen Ullrich · Answer 1 · 2020-08-21T20:29:32.023

How is CSR encrypted?

It is not encrypted at all. What you see is

PEM encapsulation of the binary CSR. This encapsulation uses Base64 encoding.
The CSR itself is ASN.1 encoded, which basically is a compact binary representation of structured and typed data.

Neither encapsulation nor any kind of encoding are encryption, i.e. there are no keys involved in this. There is a signature though, done with the private key belonging to the public key in the CSR.

... into unreadable text ...

Just because something looks unreadable for the human does not mean it is encrypted or hashed. These data are intended to be processed by computers, not by humans.

A bitmap file looks encrypted if you open it with notepad... — ThoriumBR, Aug 21 '20 at 20:47

score 1 · Accepted Answer · edited Oct 07 '21 at 07:34

Note: this answer was originally on this question from OP. After splitting the question for clarity, the answer has been moved here.

A CSR is not encrypted in any way. All data in it is readable by anyone with no special requirements. The subject's key pair is not involved when parsing a CSR. There is also no encryption, decryption, hashing, or signing involved in parsing a CSR.

A CSR in PEM format (such as the one shown in the question) is a well-defined way of storing structured data in a binary format, then converting into base64 to allow for ascii-based transmission.

Let's take a look at a CSR from generation all the way to final human-readable representation, going through the various phases of processing the data:

Generating a CSR:

Let's generate a CSR using openssl (between **** are the fields I typed in):

$ openssl req -newkey rsa:2048 -keyout key -out mycsr.csr
Generating a RSA private key
.............+++++
............................+++++
writing new private key to 'key'
Enter PEM pass phrase: ****blahblah****
Verifying - Enter PEM pass phrase: ****blahblah****
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: ****AU****
State or Province Name (full name) [Some-State]: ****Some-State****
Locality Name (eg, city) []: ****Some City****
Organization Name (eg, company) [Internet Widgits Pty Ltd]: ****Some Company****
Organizational Unit Name (eg, section) []: ****Some Org****
Common Name (e.g. server FQDN or YOUR name) []: ****mywebsite.com****
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

I end up with two files: key (my encrypted private key, we won't worry about that one) and mycsr.csr, the actual CSR that I should be sending to the CA.

Contents of the `.csr`:

$ cat mycsr.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICvTCCAaUCAQAweDELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
EjAQBgNVBAcMCVNvbWUgQ2l0eTEVMBMGA1UECgwMU29tZSBDb21wYW55MREwDwYD
VQQLDAhTb21lIE9yZzEWMBQGA1UEAwwNbXl3ZWJzaXRlLmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMON0JIMj7Pe3qaGwz2qLHdi/792HjGDXtZy
CuBbiCrxtBPoSsL2qZu/1uiJOW9azqxNoY8Ey8HspM9wVhbjemg2AhXaDok9SYZa
i74yIZo45FMvU0fq0tB7h8YY5fSsSzPLIFln4C44fdYWV+BodSLvHWtQyNT1bx/V
s6aDrXdgownnc3X7CooLeECOZesjehpKi6yiu/x74T2H1nczqvsBlF67uj//YzbN
wmlwG3pvtayx4iNux1/mcOcMlKXAbdtMHjPbcU8p5leMLBjMIIR6HeXhxuHYiqmm
evj6+dKdnwRranz7fmC8069fshTh1vLO0n8LWhXXxid6CNm1RFECAwEAAaAAMA0G
CSqGSIb3DQEBCwUAA4IBAQB60GH3Ky000KwckvIrG6+zI44UN7owt57TQ7Sv5SxR
bToWRXORvLZZSi8YIc5GeowvXJ9MJFcBFQ28oq3ctZoinIj1DAuvFdQy5ttmjTXR
r5lrD/EcVDHVsNBdoc/K0wP0SO2mPwB1TOfL/51O6MffrKgkENQhknqU1VHtkRi+
FA0SD/mA9K4Aki8HOyg8mVZks6q5b1IaymsGkowGbZySOOVdCyoYCAmKks0gEOgC
PM08kymcKVMO8rM7NxsjZIU6txBNhg4ZocolR7fQt5seyEHN7+i3MWPbxadX3v4R
4GMItS53W9Zzp1T++GYIhp+CTkWvwmGDfcEC+kcGCdoN
-----END CERTIFICATE REQUEST-----

Base64 decoding the `.csr`:

As you noticed, this is base64 encoded. Let's decode it, stripping out the header and footer

$ cat mycsr.csr | grep -v CERTIFICATE | base64 -d | hexdump -C
00000000  30 82 02 bd 30 82 01 a5  02 01 00 30 78 31 0b 30  |0...0......0x1.0|
00000010  09 06 03 55 04 06 13 02  41 55 31 13 30 11 06 03  |...U....AU1.0...|
00000020  55 04 08 0c 0a 53 6f 6d  65 2d 53 74 61 74 65 31  |U....Some-State1|
00000030  12 30 10 06 03 55 04 07  0c 09 53 6f 6d 65 20 43  |.0...U....Some C|
00000040  69 74 79 31 15 30 13 06  03 55 04 0a 0c 0c 53 6f  |ity1.0...U....So|
00000050  6d 65 20 43 6f 6d 70 61  6e 79 31 11 30 0f 06 03  |me Company1.0...|
00000060  55 04 0b 0c 08 53 6f 6d  65 20 4f 72 67 31 16 30  |U....Some Org1.0|
00000070  14 06 03 55 04 03 0c 0d  6d 79 77 65 62 73 69 74  |...U....mywebsit|
00000080  65 2e 63 6f 6d 30 82 01  22 30 0d 06 09 2a 86 48  |e.com0.."0...*.H|
...
000002b0  9f 82 4e 45 af c2 61 83  7d c1 02 fa 47 06 09 da  |..NE..a.}...G...|
000002c0  0d                                                |.|

Hey, some of that looks readable already, we can see some of the information I typed into openssl.

DER decoding the ASN.1 data:

This is DER-encoded ASN.1 data, we can tell openssl to parse it for us:

$ cat mycsr.csr | grep -v CERTIFICATE | base64 -d | openssl asn1parse -inform DER -i -dump
    0:d=0  hl=4 l= 701 cons: SEQUENCE          
    4:d=1  hl=4 l= 421 cons:  SEQUENCE          
    8:d=2  hl=2 l=   1 prim:   INTEGER           :00
   11:d=2  hl=2 l= 120 cons:   SEQUENCE          
   13:d=3  hl=2 l=  11 cons:    SET               
   15:d=4  hl=2 l=   9 cons:     SEQUENCE          
   17:d=5  hl=2 l=   3 prim:      OBJECT            :countryName
   22:d=5  hl=2 l=   2 prim:      PRINTABLESTRING   :AU
   26:d=3  hl=2 l=  19 cons:    SET               
   28:d=4  hl=2 l=  17 cons:     SEQUENCE          
   30:d=5  hl=2 l=   3 prim:      OBJECT            :stateOrProvinceName
   35:d=5  hl=2 l=  10 prim:      UTF8STRING        :Some-State
   47:d=3  hl=2 l=  18 cons:    SET               
   49:d=4  hl=2 l=  16 cons:     SEQUENCE          
   51:d=5  hl=2 l=   3 prim:      OBJECT            :localityName
   56:d=5  hl=2 l=   9 prim:      UTF8STRING        :Some City
   67:d=3  hl=2 l=  21 cons:    SET               
   69:d=4  hl=2 l=  19 cons:     SEQUENCE          
   71:d=5  hl=2 l=   3 prim:      OBJECT            :organizationName
   76:d=5  hl=2 l=  12 prim:      UTF8STRING        :Some Company
   90:d=3  hl=2 l=  17 cons:    SET               
   92:d=4  hl=2 l=  15 cons:     SEQUENCE          
   94:d=5  hl=2 l=   3 prim:      OBJECT            :organizationalUnitName
   99:d=5  hl=2 l=   8 prim:      UTF8STRING        :Some Org
  109:d=3  hl=2 l=  22 cons:    SET               
  111:d=4  hl=2 l=  20 cons:     SEQUENCE          
  113:d=5  hl=2 l=   3 prim:      OBJECT            :commonName
  118:d=5  hl=2 l=  13 prim:      UTF8STRING        :mywebsite.com
  133:d=2  hl=4 l= 290 cons:   SEQUENCE          
  137:d=3  hl=2 l=  13 cons:    SEQUENCE          
  139:d=4  hl=2 l=   9 prim:     OBJECT            :rsaEncryption
  150:d=4  hl=2 l=   0 prim:     NULL              
  152:d=3  hl=4 l= 271 prim:    BIT STRING        
      0000 - 00 30 82 01 0a 02 82 01-01 00 c3 8d d0 92 0c 8f   .0..............
      0010 - b3 de de a6 86 c3 3d aa-2c 77 62 ff bf 76 1e 31   ......=.,wb..v.1
      0020 - 83 5e d6 72 0a e0 5b 88-2a f1 b4 13 e8 4a c2 f6   .^.r..[.*....J..
      0030 - a9 9b bf d6 e8 89 39 6f-5a ce ac 4d a1 8f 04 cb   ......9oZ..M....
      0040 - c1 ec a4 cf 70 56 16 e3-7a 68 36 02 15 da 0e 89   ....pV..zh6.....
      0050 - 3d 49 86 5a 8b be 32 21-9a 38 e4 53 2f 53 47 ea   =I.Z..2!.8.S/SG.
      0060 - d2 d0 7b 87 c6 18 e5 f4-ac 4b 33 cb 20 59 67 e0   ..{......K3. Yg.
      0070 - 2e 38 7d d6 16 57 e0 68-75 22 ef 1d 6b 50 c8 d4   .8}..W.hu"..kP..
      0080 - f5 6f 1f d5 b3 a6 83 ad-77 60 a3 09 e7 73 75 fb   .o......w`...su.
      0090 - 0a 8a 0b 78 40 8e 65 eb-23 7a 1a 4a 8b ac a2 bb   ...x@.e.#z.J....
      00a0 - fc 7b e1 3d 87 d6 77 33-aa fb 01 94 5e bb ba 3f   .{.=..w3....^..?
      00b0 - ff 63 36 cd c2 69 70 1b-7a 6f b5 ac b1 e2 23 6e   .c6..ip.zo....#n
      00c0 - c7 5f e6 70 e7 0c 94 a5-c0 6d db 4c 1e 33 db 71   ._.p.....m.L.3.q
      00d0 - 4f 29 e6 57 8c 2c 18 cc-20 84 7a 1d e5 e1 c6 e1   O).W.,.. .z.....
      00e0 - d8 8a a9 a6 7a f8 fa f9-d2 9d 9f 04 6b 6a 7c fb   ....z.......kj|.
      00f0 - 7e 60 bc d3 af 5f b2 14-e1 d6 f2 ce d2 7f 0b 5a   ~`..._.........Z
      0100 - 15 d7 c6 27 7a 08 d9 b5-44 51 02 03 01 00 01      ...'z...DQ.....
  427:d=2  hl=2 l=   0 cons:   cont [ 0 ]        
  429:d=1  hl=2 l=  13 cons:  SEQUENCE          
  431:d=2  hl=2 l=   9 prim:   OBJECT            :sha256WithRSAEncryption
  442:d=2  hl=2 l=   0 prim:   NULL              
  444:d=1  hl=4 l= 257 prim:  BIT STRING        
      0000 - 00 7a d0 61 f7 2b 2d 34-d0 ac 1c 92 f2 2b 1b af   .z.a.+-4.....+..
      0010 - b3 23 8e 14 37 ba 30 b7-9e d3 43 b4 af e5 2c 51   .#..7.0...C...,Q
      0020 - 6d 3a 16 45 73 91 bc b6-59 4a 2f 18 21 ce 46 7a   m:.Es...YJ/.!.Fz
      0030 - 8c 2f 5c 9f 4c 24 57 01-15 0d bc a2 ad dc b5 9a   ./\.L$W.........
      0040 - 22 9c 88 f5 0c 0b af 15-d4 32 e6 db 66 8d 35 d1   "........2..f.5.
      0050 - af 99 6b 0f f1 1c 54 31-d5 b0 d0 5d a1 cf ca d3   ..k...T1...]....
      0060 - 03 f4 48 ed a6 3f 00 75-4c e7 cb ff 9d 4e e8 c7   ..H..?.uL....N..
      0070 - df ac a8 24 10 d4 21 92-7a 94 d5 51 ed 91 18 be   ...$..!.z..Q....
      0080 - 14 0d 12 0f f9 80 f4 ae-00 92 2f 07 3b 28 3c 99   ........../.;(<.
      0090 - 56 64 b3 aa b9 6f 52 1a-ca 6b 06 92 8c 06 6d 9c   Vd...oR..k....m.
      00a0 - 92 38 e5 5d 0b 2a 18 08-09 8a 92 cd 20 10 e8 02   .8.].*...... ...
      00b0 - 3c cd 3c 93 29 9c 29 53-0e f2 b3 3b 37 1b 23 64   <.<.).)S...;7.#d
      00c0 - 85 3a b7 10 4d 86 0e 19-a1 ca 25 47 b7 d0 b7 9b   .:..M.....%G....
      00d0 - 1e c8 41 cd ef e8 b7 31-63 db c5 a7 57 de fe 11   ..A....1c...W...
      00e0 - e0 63 08 b5 2e 77 5b d6-73 a7 54 fe f8 66 08 86   .c...w[.s.T..f..
      00f0 - 9f 82 4e 45 af c2 61 83-7d c1 02 fa 47 06 09 da   ..NE..a.}...G...
      0100 - 0d                                                .

Making sense of the contents:

We can see the structure of the file, including all the fields I typed in clearly readable, and some big blobs of data corresponding to my public key and the signature.

The actual ASN.1 structure of a CertificationRequest is defined in RFC2986:

   CertificationRequest ::= SEQUENCE {
        certificationRequestInfo CertificationRequestInfo,
        signatureAlgorithm AlgorithmIdentifier{{ SignatureAlgorithms }},
        signature          BIT STRING
   }

   CertificationRequestInfo ::= SEQUENCE {
        version       INTEGER { v1(0) } (v1,...),
        subject       Name,
        subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }},
        attributes    [0] Attributes{{ CRIAttributes }}
   }

   SubjectPublicKeyInfo { ALGORITHM : IOSet} ::= SEQUENCE {
        algorithm        AlgorithmIdentifier {{IOSet}},
        subjectPublicKey BIT STRING
   }

   AlgorithmIdentifier {ALGORITHM:IOSet } ::= SEQUENCE {
        algorithm          ALGORITHM.&id({IOSet}),
        parameters         ALGORITHM.&Type({IOSet}{@algorithm}) OPTIONAL
   }

Making it human-friendly:

This is all nice and well but this output is still hard to read. Instead, we can ask openssl to do all these steps for us and display it in a much friendlier way:

$ openssl req -text -in mycsr.csr 
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = AU, ST = Some-State, L = Some City, O = Some Company, OU = Some Org, CN = mywebsite.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:c3:8d:d0:92:0c:8f:b3:de:de:a6:86:c3:3d:aa:
                    2c:77:62:ff:bf:76:1e:31:83:5e:d6:72:0a:e0:5b:
                    88:2a:f1:b4:13:e8:4a:c2:f6:a9:9b:bf:d6:e8:89:
                    39:6f:5a:ce:ac:4d:a1:8f:04:cb:c1:ec:a4:cf:70:
                    56:16:e3:7a:68:36:02:15:da:0e:89:3d:49:86:5a:
                    8b:be:32:21:9a:38:e4:53:2f:53:47:ea:d2:d0:7b:
                    87:c6:18:e5:f4:ac:4b:33:cb:20:59:67:e0:2e:38:
                    7d:d6:16:57:e0:68:75:22:ef:1d:6b:50:c8:d4:f5:
                    6f:1f:d5:b3:a6:83:ad:77:60:a3:09:e7:73:75:fb:
                    0a:8a:0b:78:40:8e:65:eb:23:7a:1a:4a:8b:ac:a2:
                    bb:fc:7b:e1:3d:87:d6:77:33:aa:fb:01:94:5e:bb:
                    ba:3f:ff:63:36:cd:c2:69:70:1b:7a:6f:b5:ac:b1:
                    e2:23:6e:c7:5f:e6:70:e7:0c:94:a5:c0:6d:db:4c:
                    1e:33:db:71:4f:29:e6:57:8c:2c:18:cc:20:84:7a:
                    1d:e5:e1:c6:e1:d8:8a:a9:a6:7a:f8:fa:f9:d2:9d:
                    9f:04:6b:6a:7c:fb:7e:60:bc:d3:af:5f:b2:14:e1:
                    d6:f2:ce:d2:7f:0b:5a:15:d7:c6:27:7a:08:d9:b5:
                    44:51
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         7a:d0:61:f7:2b:2d:34:d0:ac:1c:92:f2:2b:1b:af:b3:23:8e:
         14:37:ba:30:b7:9e:d3:43:b4:af:e5:2c:51:6d:3a:16:45:73:
         91:bc:b6:59:4a:2f:18:21:ce:46:7a:8c:2f:5c:9f:4c:24:57:
         01:15:0d:bc:a2:ad:dc:b5:9a:22:9c:88:f5:0c:0b:af:15:d4:
         32:e6:db:66:8d:35:d1:af:99:6b:0f:f1:1c:54:31:d5:b0:d0:
         5d:a1:cf:ca:d3:03:f4:48:ed:a6:3f:00:75:4c:e7:cb:ff:9d:
         4e:e8:c7:df:ac:a8:24:10:d4:21:92:7a:94:d5:51:ed:91:18:
         be:14:0d:12:0f:f9:80:f4:ae:00:92:2f:07:3b:28:3c:99:56:
         64:b3:aa:b9:6f:52:1a:ca:6b:06:92:8c:06:6d:9c:92:38:e5:
         5d:0b:2a:18:08:09:8a:92:cd:20:10:e8:02:3c:cd:3c:93:29:
         9c:29:53:0e:f2:b3:3b:37:1b:23:64:85:3a:b7:10:4d:86:0e:
         19:a1:ca:25:47:b7:d0:b7:9b:1e:c8:41:cd:ef:e8:b7:31:63:
         db:c5:a7:57:de:fe:11:e0:63:08:b5:2e:77:5b:d6:73:a7:54:
         fe:f8:66:08:86:9f:82:4e:45:af:c2:61:83:7d:c1:02:fa:47:
         06:09:da:0d
-----BEGIN CERTIFICATE REQUEST-----
MIICvTCCAaUCAQAweDELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
EjAQBgNVBAcMCVNvbWUgQ2l0eTEVMBMGA1UECgwMU29tZSBDb21wYW55MREwDwYD
VQQLDAhTb21lIE9yZzEWMBQGA1UEAwwNbXl3ZWJzaXRlLmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMON0JIMj7Pe3qaGwz2qLHdi/792HjGDXtZy
CuBbiCrxtBPoSsL2qZu/1uiJOW9azqxNoY8Ey8HspM9wVhbjemg2AhXaDok9SYZa
i74yIZo45FMvU0fq0tB7h8YY5fSsSzPLIFln4C44fdYWV+BodSLvHWtQyNT1bx/V
s6aDrXdgownnc3X7CooLeECOZesjehpKi6yiu/x74T2H1nczqvsBlF67uj//YzbN
wmlwG3pvtayx4iNux1/mcOcMlKXAbdtMHjPbcU8p5leMLBjMIIR6HeXhxuHYiqmm
evj6+dKdnwRranz7fmC8069fshTh1vLO0n8LWhXXxid6CNm1RFECAwEAAaAAMA0G
CSqGSIb3DQEBCwUAA4IBAQB60GH3Ky000KwckvIrG6+zI44UN7owt57TQ7Sv5SxR
bToWRXORvLZZSi8YIc5GeowvXJ9MJFcBFQ28oq3ctZoinIj1DAuvFdQy5ttmjTXR
r5lrD/EcVDHVsNBdoc/K0wP0SO2mPwB1TOfL/51O6MffrKgkENQhknqU1VHtkRi+
FA0SD/mA9K4Aki8HOyg8mVZks6q5b1IaymsGkowGbZySOOVdCyoYCAmKks0gEOgC
PM08kymcKVMO8rM7NxsjZIU6txBNhg4ZocolR7fQt5seyEHN7+i3MWPbxadX3v4R
4GMItS53W9Zzp1T++GYIhp+CTkWvwmGDfcEC+kcGCdoN
-----END CERTIFICATE REQUEST-----

Ah, finally. We have a clear representation of CSR contents. There was no magic here, this is just openssl performing all the decoding necessary. Note that it only has access to the .csr, my keys do not come into play in any of this parsing.

Final word:

The information you see in these last steps is exactly what the CA sees. To summarize:

the subject information
the subject's public key
the signature of the two items above
the algorithm used to sign

How is CSR encrypted?

2 Answers2

Generating a CSR:

Contents of the `.csr`:

Base64 decoding the `.csr`:

DER decoding the ASN.1 data:

Making sense of the contents:

Making it human-friendly:

Final word:

Linked

How is CSR encrypted?

2 Answers2

Generating a CSR:

Contents of the .csr:

Base64 decoding the .csr:

DER decoding the ASN.1 data:

Making sense of the contents:

Making it human-friendly:

Final word:

Linked

Contents of the `.csr`:

Base64 decoding the `.csr`: