RFC 2986 defines the request format, also known as PKCS #10, and includes the following elements:

  • Certificate signing request version
  • Requested subject distinguished name (DN) for the certificate
  • Public key for the requested certificate
  • Requested set of extensions for the certificate
  • Signature that proves the requester has the private key for the given public key

To create a certificate signing request, use the manage-certificates generate-certificate-signing-request command, which performs the following steps:

  1. Generated a public and private key pair.
  2. Stores the key pair in a key store with a given alias.
  3. Outputs the certificate signing request to the terminal.
  4. Optionally writes the certificate signing request to a file.

Because a certificate signing request contains many of the same elements as a certificate, the command to generate one takes most of the same arguments as for generating a self-signed certificate. The following arguments are unavailable when generating a CSR:

  • --replace-existing-certificate
  • --days-valid {number}
  • --validity-start-time {timestamp}

The following arguments are available when generating a certificate signing request but not when generating a self-signed certificate:

--output-file {path}
Path to a file to which the certificate signing request is written. If this value is not provided, the request is written only to the terminal in PEM form.
--output-format {value}
Format to use when writing the certificate signing request. This value can be PEM or DER, but the DER format is used only in conjunction with the --output-file argument. Defaults to PEM if the --output-format {value} argument is not provided.
Indicates that the CSR uses a key pair that already exists in the key store with the given alias, rather than generating a new key pair, in which case the specified alias must not already be in use in the key store.

The following example command creates a CSR.

bin/manage-certificates generate-certificate-signing-request \
     --output-file ds1-cert.csr \
     --output-format PEM \
     --keystore config/keystore \
     --keystore-password-file config/keystore.pin \
     --keystore-type JKS \
     --alias server-cert \
     --subject-dn "CN=ds.example.com,O=Example Corp,C=US" \
     --key-algorithm EC \
     --key-length-bits 256 \
     --signature-algorithm SHA256withECDSA \
     --subject-alternative-name-dns ds.example.com \
     --subject-alternative-name-dns ds1.example.com \
     --subject-alternative-name-dns localhost \
     --subject-alternative-name-ip-address \
     --subject-alternative-name-ip-address \
     --subject-alternative-name-ip-address 0:0:0:0:0:0:0:1 \
     --key-usage digital-signature \
     --key-usage key-encipherment \
     --key-usage key-agreement \
     --extended-key-usage server-auth \
     --extended-key-usage client-auth
Successfully created a new JKS keystore.
Successfully generated the key pair to use for the certificate signing
Successfully wrote the certificate signing request to file

If the contents of the resulting CSR file are made available to a certification authority to be signed, the resulting signed certificate can be imported into the key store.

To print the contents of a certificate signing request file, use the display-certificate-signing-request-file subcommand, which supports the following arguments:

--certificate-signing-request-file {path}
Path to the file that contains the certificate signing request to display.
Indicates that the command is expected to display verbose information about the request, rather than a basic information set.

The following example demonstrates the basic output from the command.

$ bin/manage-certificates display-certificate-signing-request-file \
				--certificate-signing-request-file ds1-cert.csr
				PKCS #10 Certificate Signing Request Version:  v1
				Subject DN:  CN=ds.example.com,O=Example Corp,C=US
				Signature Algorithm:  SHA-256 with ECDSA
				Public Key Algorithm:  EC (secP256r1)

The following example demonstrates the verbose output.

$ bin/manage-certificates display-certificate-signing-request-file \
     --certificate-signing-request-file ds1-cert.csr \
PKCS #10 Certificate Signing Request Version:  v1
Subject DN:  CN=ds.example.com,O=Example Corp,C=US
Signature Algorithm:  SHA-256 with ECDSA
Signature Value:
Public Key Algorithm:  EC (secP256r1)
Elliptic Curve Public Key Is Compressed:  false
Elliptic Curve X-Coordinate: 
Elliptic Curve Y-Coordinate: 
Certificate Extensions:
     Subject Key Identifier Extension:
          Is Critical:  false
          Key Identifier:
     Subject Alternative Name Extension:
          Is Critical:  false
          DNS Name:  ds.example.com
          DNS Name:  ds1.example.com
          DNS Name:  localhost
          IP Address:
          IP Address:
          IP Address:  0:0:0:0:0:0:0:1
     Key Usage Extension:
          Is Critical:  false
          Key Usages:
               Digital Signature
               Key Encipherment
               Key Agreement
     Extended Key Usage Extension:
          Is Critical:  false
          Key Purpose ID:  TLS Server Authentication
          Key Purpose ID:  TLS Client Authentication