How to generate certificate signing request?

Hello. Please can you tell where I can find the info about how to generate a certificate signing request (CSR, X509, for a certificate authority to get it signed into a certificate, or to self-sign using OpenSSL) based on existing AUTH RSA private key stored into a CryptoStick. Preferably using Windows 7. I saw some instructions for Linux and OpenSC, but they didn’t work out for me - got many "headers, libs not found’ errors. Not a Linux user at all. Is there any step-by-step instruction for Windows environment? Thanks a lot!

I did it with GnuPG 2.

You may try to use “gpgsm --gen-key > ~/mycsr.pem” and in the subsequent dialog select the existing key on the card. Send this CSR to your CA to get a certificate. Once you received the signed certificate back from your CA do a “gpgsm --import cert.pem”.

As a prerequisit, make sure your application knows the device: “gpgsm --learn-card”

You could find instructions in German here … 40662.html

Thank you, Jans. Have already figured it out. It was not so obvious to a newbie like me, though.

I’m glad that it worked out for you eventually. Would be great if you could post instructions for the next user generating a CSR. Thanks.

Well, it’s almost exactly as you posted above. I can only try to transform it into a simple step-by-step tutorial for a Windows environment.


  • download and install the latest GPG4Win binaries Only the base component (GnuPG 2.0.x) is necessary;
  • AUTH RSA-key stored into your smart-card (see CryptoStick Installation Guide | 2. Initialize the Crypto Stick).
  1. Plug-in your CryptoStick. Open command prompt and execute:


Please select what kind of key you want: (1) RSA (2) Existing key (3) Existing key from card Your selection?
Select 3

AUTH key is OPENPGP.3, so select 3 again.
Then enter a desired info about your certificate into the prompted fields (see gpgsm manual for more info):

Possible actions for a RSA key:
(1) sign, encrypt
(2) sign
(3) encrypt
Your selection? 1
Enter the X.509 subject name: CN=John Doe
Enter email addresses (end with an empty line):

Enter DNS names (optional; end with an empty line):

Enter URIs (optional; end with an empty line):

Parameters to be used for the certificate request:
Key-Type: card:OPENPGP.3
Key-Length: 1024
Key-Usage: sign, encrypt
Name-DN: CN=John Doe

Really create request? (y/N) y[/code]
Enter your User PIN.

Now creating certificate request. This may take a while ... gpgsm: about to sign CSR for key: &XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX gpgsm: certificate request created Ready. You should now send this request to your CA.
Now you have your certificate signing request stored into [your_csr_filename].pem file.

  1. You can send this file or copy-paste its contents to your CA to sign (e.g. CACert, StartSSL etc.) or self-sign it by using OpenSSL (there are plenty articles about how to do it on the Internet). As a result you’ll get your personal signed certificate in PEM format [your_personal_cert].pem or [your_personal_cert].crt.

  2. Import your personal certificate into your smart-card. It can be done by using either GnuPG 2 or OpenSC.

ATTENTION: CryptoStick supports personal certificates in DER (binary) format only. You have to convert your PEM file first by using OpenSSL, online converters (e.g., Mozilla Firefox plug-in ( or inquire your CA to deliver your certificate in DER format.

Using GnuPG 2: plug-in your CryptoStick, open command prompt and execute

In the prompt “gpg/card>” enter hidden command

writecert 3 < [your_cert_in_DER_format_filename].crt* there is also a hidden command “readcert 3 > mycert.crt” to export your personal X.509 certificate from a smart-card to a file.

Then type “quit” and press Enter.

Using OpenSC: download and install the latest OpenSC binaries, plug-in your CryptoStick, open command prompt and execute

Enter Admin PIN. The END.

Now you can use your existing AUTH RSA private key and personal X.509 certificate to sign/encrypt your e-mail, or to authenticate on respective web-sites, OpenVPN servers etc. using PKCS#11 and your CriptoStick only (or OpenPGP mini-driver for Microsoft IE, Google Chrome etc. – see

Would be great if you could post instructions for the next user generating a CSR. Thanks