signercli -csr
Certificate Signing Request (CSR) Command – Full Reference
1. Overview
The signercli -csr command is used to generate a Certificate Signing Request (CSR) along with a corresponding private key.
Key characteristics:
- The private key is generated and stored securely on the server
- Only the CSR is exported to the user
- The CSR can be submitted to an external Certificate Authority (CA)
- After certificate issuance, the certificate can be uploaded and linked to the private key
This approach ensures that private key material never leaves the server, making it suitable for secure and compliant environments.
2. Command Usage
signercli -csr <command> [options]
3. Commands
| Command | Description |
|---|---|
generate | Generate a CSR and a new private key |
help | Display help message |
4. Required Options
The following options are mandatory when generating a CSR:
| Option | Description |
|---|---|
-cn <common-name> | Common Name (e.g., domain name or service name) |
-api-key <key> | API key for authentication (required) |
Login-based authentication is not supported.
All CSR operations require API key authentication.
5. Subject (Distinguished Name) Options
These options define the subject information included in the CSR.
| Option | Description |
|---|---|
-c <country> | Country code (2-letter, e.g., KR, US, JP) |
-st <state> | State or Province |
-l <locality> | City or Locality |
-org <organization> | Organization name |
-ou <unit> | Organizational Unit |
-email <email> | Email address |
Only -cn is required; all other subject fields are optional.
6. Key Options
| Option | Description |
|---|---|
-keysize <bits> | Key size in bits (default: 2048) |
Common values:
2048(default, widely supported)4096(higher security, larger key)
7. Output Options
| Option | Description |
|---|---|
-host <url> | Signer Server URL (default: https://localhost:7443) |
-o <dir> | Output directory for the generated CSR file |
8. CSR Generation Examples
Generate a Basic CSR
signercli -csr generate \
-cn example.com \
-api-key cdk_xxx
Generate a CSR with Full Subject Information
signercli -csr generate \
-cn example.com \
-c KR \
-st Seoul \
-l Gangnam \
-org "My Company" \
-ou "IT Dept" \
-email admin@example.com \
-api-key cdk_xxx
Generate a CSR with a 4096-bit Key and Save to a Directory
signercli -csr generate \
-cn example.com \
-keysize 4096 \
-o /tmp \
-api-key cdk_xxx
9. Output Artifacts
After successful execution, the following artifacts are produced:
- CSR file
- PEM format
- Written to the specified output directory (or default location)
- Private Key ID
- Displayed in the command output
- Private key is stored securely on the server
The private key itself is never exported or downloadable.
10. Typical CSR Workflow
A standard certificate issuance workflow using signercli -csr:
1. Generate CSR and private key (signercli -csr generate)
2. Submit CSR to Certificate Authority (CA)
3. Receive signed certificate from CA
4. Upload certificate to Signer Server
5. Link certificate to private key
Example linking step:
signercli -privkeylink <key_id> <cert_id> -api-key cdk_xxx
11. Security Notes
- Private keys are generated server-side and never exposed
- CSR generation does not require HSM PIN input (unless policy enforces HSM-backed keys)
- API key permissions control who can generate CSRs
This design supports:
- Compliance requirements
- Secure key custody
- Enterprise signing environments
12. Relationship to Other Commands
| Command | Description |
|---|---|
signercli -cert-api | Upload and manage issued certificates |
signercli -privkey | Private key management |
signercli -privkey link | Link private key to certificate |
signercli -pubkey | Public key management |
13. Typical Use Cases
- Requesting certificates from external CAs
- Generating server TLS certificates
- Creating code signing or document signing certificates
- Secure key generation for regulated environments
14. Summary
The signercli -csr command provides a secure, server-centric CSR generation workflow, enabling:
- Safe private key generation and storage
- Standards-compliant CSR creation
- Clean integration with external CAs
- Seamless linking to certificates after issuance
It is the recommended method for generating keys and CSRs in production-grade signing systems.