diff --git a/pkg/apis/certificates/install/install.go b/pkg/apis/certificates/install/install.go
new file mode 100644
index 00000000000..f77e94902b8
--- /dev/null
+++ b/pkg/apis/certificates/install/install.go
@@ -0,0 +1,131 @@
+/*
+Copyright 2016 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package install installs the certificates API group, making it available as
+// an option to all of the API encoding/decoding machinery.
+package install
+
+import (
+	"fmt"
+
+	"github.com/golang/glog"
+
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/api/meta"
+	"k8s.io/kubernetes/pkg/api/unversioned"
+	"k8s.io/kubernetes/pkg/apimachinery"
+	"k8s.io/kubernetes/pkg/apimachinery/registered"
+	"k8s.io/kubernetes/pkg/apis/certificates"
+	"k8s.io/kubernetes/pkg/apis/certificates/v1alpha1"
+	"k8s.io/kubernetes/pkg/runtime"
+	"k8s.io/kubernetes/pkg/util/sets"
+)
+
+const importPrefix = "k8s.io/kubernetes/pkg/apis/certificates"
+
+var accessor = meta.NewAccessor()
+
+// availableVersions lists all known external versions for this group from most preferred to least preferred
+var availableVersions = []unversioned.GroupVersion{v1alpha1.SchemeGroupVersion}
+
+func init() {
+	registered.RegisterVersions(availableVersions)
+	externalVersions := []unversioned.GroupVersion{}
+	for _, v := range availableVersions {
+		if registered.IsAllowedVersion(v) {
+			externalVersions = append(externalVersions, v)
+		}
+	}
+	if len(externalVersions) == 0 {
+		glog.V(4).Infof("No version is registered for group %v", certificates.GroupName)
+		return
+	}
+
+	if err := registered.EnableVersions(externalVersions...); err != nil {
+		glog.V(4).Infof("%v", err)
+		return
+	}
+	if err := enableVersions(externalVersions); err != nil {
+		glog.V(4).Infof("%v", err)
+		return
+	}
+}
+
+// TODO: enableVersions should be centralized rather than spread in each API
+// group.
+// We can combine registered.RegisterVersions, registered.EnableVersions and
+// registered.RegisterGroup once we have moved enableVersions therecertificates
+func enableVersions(externalVersions []unversioned.GroupVersion) error {
+	addVersionsToScheme(externalVersions...)
+	preferredExternalVersion := externalVersions[0]
+
+	groupMeta := apimachinery.GroupMeta{
+		GroupVersion:  preferredExternalVersion,
+		GroupVersions: externalVersions,
+		RESTMapper:    newRESTMapper(externalVersions),
+		SelfLinker:    runtime.SelfLinker(accessor),
+		InterfacesFor: interfacesFor,
+	}
+
+	if err := registered.RegisterGroup(groupMeta); err != nil {
+		return err
+	}
+	api.RegisterRESTMapper(groupMeta.RESTMapper)
+	return nil
+}
+
+func newRESTMapper(externalVersions []unversioned.GroupVersion) meta.RESTMapper {
+	// the list of kinds that are scoped at the root of the api hierarchy
+	// if a kind is not enumerated here, it is assumed to have a namespace scope
+	rootScoped := sets.NewString(
+		"CertificateSigningRequest",
+	)
+
+	ignoredKinds := sets.NewString()
+
+	return api.NewDefaultRESTMapper(externalVersions, interfacesFor, importPrefix, ignoredKinds, rootScoped)
+}
+
+// interfacesFor returns the default Codec and ResourceVersioner for a given version
+// string, or an error if the version is not known.
+func interfacesFor(version unversioned.GroupVersion) (*meta.VersionInterfaces, error) {
+	switch version {
+	case v1alpha1.SchemeGroupVersion:
+		return &meta.VersionInterfaces{
+			ObjectConvertor:  api.Scheme,
+			MetadataAccessor: accessor,
+		}, nil
+	default:
+		g, _ := registered.Group(certificates.GroupName)
+		return nil, fmt.Errorf("unsupported storage version: %s (valid: %v)", version, g.GroupVersions)
+	}
+}
+
+func addVersionsToScheme(externalVersions ...unversioned.GroupVersion) {
+	// add the internal version to Scheme
+	certificates.AddToScheme(api.Scheme)
+	// add the enabled external versions to Scheme
+	for _, v := range externalVersions {
+		if !registered.IsEnabledVersion(v) {
+			glog.Errorf("Version %s is not enabled, so it will not be added to the Scheme.", v)
+			continue
+		}
+		switch v {
+		case v1alpha1.SchemeGroupVersion:
+			v1alpha1.AddToScheme(api.Scheme)
+		}
+	}
+}
diff --git a/pkg/apis/certificates/install/install_test.go b/pkg/apis/certificates/install/install_test.go
new file mode 100644
index 00000000000..894d7e196de
--- /dev/null
+++ b/pkg/apis/certificates/install/install_test.go
@@ -0,0 +1,114 @@
+/*
+Copyright 2016 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package install
+
+import (
+	"encoding/json"
+	"testing"
+
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/api/unversioned"
+	"k8s.io/kubernetes/pkg/apimachinery/registered"
+	"k8s.io/kubernetes/pkg/apis/certificates"
+	"k8s.io/kubernetes/pkg/apis/certificates/v1alpha1"
+	"k8s.io/kubernetes/pkg/runtime"
+)
+
+func TestResourceVersioner(t *testing.T) {
+	csr := certificates.CertificateSigningRequest{ObjectMeta: api.ObjectMeta{ResourceVersion: "10"}}
+	version, err := accessor.ResourceVersion(&csr)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if version != "10" {
+		t.Errorf("unexpected version %v", version)
+	}
+
+	csrList := certificates.CertificateSigningRequestList{ListMeta: unversioned.ListMeta{ResourceVersion: "10"}}
+	version, err = accessor.ResourceVersion(&csrList)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if version != "10" {
+		t.Errorf("unexpected version %v", version)
+	}
+}
+
+func TestCodec(t *testing.T) {
+	csr := certificates.CertificateSigningRequest{}
+	// We do want to use package registered rather than testapi here, because we
+	// want to test if the package install and package registered work as expected.
+	data, err := runtime.Encode(api.Codecs.LegacyCodec(registered.GroupOrDie(certificates.GroupName).GroupVersion), &csr)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	other := certificates.CertificateSigningRequest{}
+	if err := json.Unmarshal(data, &other); err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if other.APIVersion != registered.GroupOrDie(certificates.GroupName).GroupVersion.String() || other.Kind != "CertificateSigningRequest" {
+		t.Errorf("unexpected unmarshalled object %#v", other)
+	}
+}
+
+func TestInterfacesFor(t *testing.T) {
+	if _, err := registered.GroupOrDie(certificates.GroupName).InterfacesFor(certificates.SchemeGroupVersion); err == nil {
+		t.Fatalf("unexpected non-error: %v", err)
+	}
+	for i, version := range registered.GroupOrDie(certificates.GroupName).GroupVersions {
+		if vi, err := registered.GroupOrDie(certificates.GroupName).InterfacesFor(version); err != nil || vi == nil {
+			t.Fatalf("%d: unexpected result: %v", i, err)
+		}
+	}
+}
+
+func TestRESTMapper(t *testing.T) {
+	gv := v1alpha1.SchemeGroupVersion
+	csrGVK := gv.WithKind("CertificateSigningRequest")
+
+	if gvk, err := registered.GroupOrDie(certificates.GroupName).RESTMapper.KindFor(gv.WithResource("certificatesigningrequests")); err != nil || gvk != csrGVK {
+		t.Errorf("unexpected version mapping: %v %v", gvk, err)
+	}
+
+	for _, version := range registered.GroupOrDie(certificates.GroupName).GroupVersions {
+		mapping, err := registered.GroupOrDie(certificates.GroupName).RESTMapper.RESTMapping(csrGVK.GroupKind(), version.Version)
+		if err != nil {
+			t.Errorf("unexpected error: %v", err)
+		}
+
+		if mapping.Resource != "certificatesigningrequests" {
+			t.Errorf("incorrect resource name: %#v", mapping)
+		}
+		if mapping.GroupVersionKind.GroupVersion() != version {
+			t.Errorf("incorrect groupVersion: %v", mapping)
+		}
+
+		interfaces, _ := registered.GroupOrDie(certificates.GroupName).InterfacesFor(version)
+		if mapping.ObjectConvertor != interfaces.ObjectConvertor {
+			t.Errorf("unexpected: %#v, expected: %#v", mapping, interfaces)
+		}
+
+		csr := &certificates.CertificateSigningRequest{ObjectMeta: api.ObjectMeta{Name: "foo"}}
+		name, err := mapping.MetadataAccessor.Name(csr)
+		if err != nil {
+			t.Errorf("unexpected error: %v", err)
+		}
+		if name != "foo" {
+			t.Errorf("unable to retrieve object meta with: %v", mapping.MetadataAccessor)
+		}
+	}
+}
diff --git a/pkg/apis/certificates/register.go b/pkg/apis/certificates/register.go
new file mode 100644
index 00000000000..02b095d0988
--- /dev/null
+++ b/pkg/apis/certificates/register.go
@@ -0,0 +1,57 @@
+/*
+Copyright 2016 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package certificates
+
+import (
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/api/unversioned"
+	"k8s.io/kubernetes/pkg/runtime"
+)
+
+// GroupName is the group name use in this package
+const GroupName = "certificates"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = unversioned.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}
+
+// Kind takes an unqualified kind and returns back a Group qualified GroupKind
+func Kind(kind string) unversioned.GroupKind {
+	return SchemeGroupVersion.WithKind(kind).GroupKind()
+}
+
+// Resource takes an unqualified resource and returns back a Group qualified GroupResource
+func Resource(resource string) unversioned.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+func AddToScheme(scheme *runtime.Scheme) {
+	// Add the API to Scheme.
+	addKnownTypes(scheme)
+}
+
+// Adds the list of known types to api.Scheme.
+func addKnownTypes(scheme *runtime.Scheme) {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&CertificateSigningRequest{},
+		&CertificateSigningRequestList{},
+		&api.ListOptions{},
+		&api.DeleteOptions{},
+	)
+}
+
+func (obj *CertificateSigningRequest) GetObjectKind() unversioned.ObjectKind     { return &obj.TypeMeta }
+func (obj *CertificateSigningRequestList) GetObjectKind() unversioned.ObjectKind { return &obj.TypeMeta }
diff --git a/pkg/apis/certificates/types.go b/pkg/apis/certificates/types.go
new file mode 100644
index 00000000000..0848d95e8ee
--- /dev/null
+++ b/pkg/apis/certificates/types.go
@@ -0,0 +1,84 @@
+/*
+Copyright 2016 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package certificates
+
+import (
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/api/unversioned"
+)
+
+// +genclient=true,nonNamespaced=true
+
+// Describes a certificate signing request
+type CertificateSigningRequest struct {
+	unversioned.TypeMeta `json:",inline"`
+	api.ObjectMeta       `json:"metadata,omitempty"`
+
+	// The certificate request itself and any additonal information.
+	Spec CertificateSigningRequestSpec `json:"spec,omitempty"`
+
+	// Derived information about the request.
+	Status CertificateSigningRequestStatus `json:"status,omitempty"`
+}
+
+// This information is immutable after the request is created. Only the Request
+// and ExtraInfo fields can be set on creation, other fields are derived by
+// Kubernetes and cannot be modified by users.
+type CertificateSigningRequestSpec struct {
+	// Base64-encoded PKCS#10 CSR data
+	Request []byte `json:"request"`
+
+	// Information about the requesting user (if relevant)
+	// See user.Info interface for details
+	Username string   `json:"username,omitempty"`
+	UID      string   `json:"uid,omitempty"`
+	Groups   []string `json:"groups,omitempty"`
+}
+
+type CertificateSigningRequestStatus struct {
+	// Conditions applied to the request, such as approval or denial.
+	Conditions []CertificateSigningRequestCondition `json:"conditions,omitempty"`
+
+	// If request was approved, the controller will place the issued certificate here.
+	Certificate []byte `json:"certificate,omitempty"`
+}
+
+type RequestConditionType string
+
+// These are the possible conditions for a certificate request.
+const (
+	CertificateApproved RequestConditionType = "Approved"
+	CertificateDenied   RequestConditionType = "Denied"
+)
+
+type CertificateSigningRequestCondition struct {
+	// request approval state, currently Approved or Denied.
+	Type RequestConditionType `json:"type"`
+	// brief reason for the request state
+	Reason string `json:"reason,omitempty"`
+	// human readable message with details about the request state
+	Message string `json:"message,omitempty"`
+	// timestamp for the last update to this condition
+	LastUpdateTime unversioned.Time `json:"lastUpdateTime,omitempty"`
+}
+
+type CertificateSigningRequestList struct {
+	unversioned.TypeMeta `json:",inline"`
+	unversioned.ListMeta `json:"metadata,omitempty"`
+
+	Items []CertificateSigningRequest `json:"items,omitempty"`
+}
diff --git a/pkg/apis/certificates/v1alpha1/conversion.go b/pkg/apis/certificates/v1alpha1/conversion.go
new file mode 100644
index 00000000000..7570a9fbd1d
--- /dev/null
+++ b/pkg/apis/certificates/v1alpha1/conversion.go
@@ -0,0 +1,23 @@
+/*
+Copyright 2016 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import "k8s.io/kubernetes/pkg/runtime"
+
+func addConversionFuncs(scheme *runtime.Scheme) {
+	// Add non-generated conversion functions here. Currently there are none.
+}
diff --git a/pkg/apis/certificates/v1alpha1/conversion_generated.go b/pkg/apis/certificates/v1alpha1/conversion_generated.go
new file mode 100644
index 00000000000..0ec255e2a31
--- /dev/null
+++ b/pkg/apis/certificates/v1alpha1/conversion_generated.go
@@ -0,0 +1,31 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2016 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// DO NOT EDIT. THIS FILE IS AUTO-GENERATED BY $KUBEROOT/hack/update-generated-conversions.sh
+
+package v1alpha1
+
+import api "k8s.io/kubernetes/pkg/api"
+
+func init() {
+	err := api.Scheme.AddGeneratedConversionFuncs()
+	if err != nil {
+		// If one of the conversion functions is malformed, detect it immediately.
+		panic(err)
+	}
+}
diff --git a/pkg/apis/certificates/v1alpha1/doc.go b/pkg/apis/certificates/v1alpha1/doc.go
new file mode 100644
index 00000000000..65a03a2093d
--- /dev/null
+++ b/pkg/apis/certificates/v1alpha1/doc.go
@@ -0,0 +1,18 @@
+/*
+Copyright 2016 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +genconversion=true
+package v1alpha1
diff --git a/pkg/apis/certificates/v1alpha1/register.go b/pkg/apis/certificates/v1alpha1/register.go
new file mode 100644
index 00000000000..23737452963
--- /dev/null
+++ b/pkg/apis/certificates/v1alpha1/register.go
@@ -0,0 +1,62 @@
+/*
+Copyright 2016 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"k8s.io/kubernetes/pkg/api/unversioned"
+	"k8s.io/kubernetes/pkg/api/v1"
+	"k8s.io/kubernetes/pkg/runtime"
+	versionedwatch "k8s.io/kubernetes/pkg/watch/versioned"
+)
+
+// GroupName is the group name use in this package
+const GroupName = "certificates"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = unversioned.GroupVersion{Group: GroupName, Version: "v1alpha1"}
+
+// Kind takes an unqualified kind and returns back a Group qualified GroupKind
+func Kind(kind string) unversioned.GroupKind {
+	return SchemeGroupVersion.WithKind(kind).GroupKind()
+}
+
+// Resource takes an unqualified resource and returns back a Group qualified GroupResource
+func Resource(resource string) unversioned.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+func AddToScheme(scheme *runtime.Scheme) {
+	addKnownTypes(scheme)
+	// addDefaultingFuncs(scheme)
+	addConversionFuncs(scheme)
+}
+
+// Adds the list of known types to api.Scheme.
+func addKnownTypes(scheme *runtime.Scheme) {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&CertificateSigningRequest{},
+		&CertificateSigningRequestList{},
+		&v1.ListOptions{},
+		&v1.DeleteOptions{},
+	)
+
+	// Add the watch version that applies
+	versionedwatch.AddToGroupVersion(scheme, SchemeGroupVersion)
+}
+
+func (obj *CertificateSigningRequest) GetObjectKind() unversioned.ObjectKind     { return &obj.TypeMeta }
+func (obj *CertificateSigningRequestList) GetObjectKind() unversioned.ObjectKind { return &obj.TypeMeta }
diff --git a/pkg/apis/certificates/v1alpha1/types.generated.go b/pkg/apis/certificates/v1alpha1/types.generated.go
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/pkg/apis/certificates/v1alpha1/types.go b/pkg/apis/certificates/v1alpha1/types.go
new file mode 100644
index 00000000000..04eee25168a
--- /dev/null
+++ b/pkg/apis/certificates/v1alpha1/types.go
@@ -0,0 +1,84 @@
+/*
+Copyright 2016 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"k8s.io/kubernetes/pkg/api/unversioned"
+	"k8s.io/kubernetes/pkg/api/v1"
+)
+
+// +genclient=true,nonNamespaced=true
+
+// Describes a certificate signing request
+type CertificateSigningRequest struct {
+	unversioned.TypeMeta `json:",inline"`
+	v1.ObjectMeta        `json:"metadata,omitempty"`
+
+	// The certificate request itself and any additonal information.
+	Spec CertificateSigningRequestSpec `json:"spec,omitempty"`
+
+	// Derived information about the request.
+	Status CertificateSigningRequestStatus `json:"status,omitempty"`
+}
+
+// This information is immutable after the request is created. Only the Request
+// and ExtraInfo fields can be set on creation, other fields are derived by
+// Kubernetes and cannot be modified by users.
+type CertificateSigningRequestSpec struct {
+	// Base64-encoded PKCS#10 CSR data
+	Request []byte `json:"request"`
+
+	// Information about the requesting user (if relevant)
+	// See user.Info interface for details
+	Username string   `json:"username,omitempty"`
+	UID      string   `json:"uid,omitempty"`
+	Groups   []string `json:"groups,omitempty"`
+}
+
+type CertificateSigningRequestStatus struct {
+	// Conditions applied to the request, such as approval or denial.
+	Conditions []CertificateSigningRequestCondition `json:"conditions,omitempty"`
+
+	// If request was approved, the controller will place the issued certificate here.
+	Certificate []byte `json:"certificate,omitempty"`
+}
+
+type RequestConditionType string
+
+// These are the possible conditions for a certificate request.
+const (
+	CertificateApproved RequestConditionType = "Approved"
+	CertificateDenied   RequestConditionType = "Denied"
+)
+
+type CertificateSigningRequestCondition struct {
+	// request approval state, currently Approved or Denied.
+	Type RequestConditionType `json:"type"`
+	// brief reason for the request state
+	Reason string `json:"reason,omitempty"`
+	// human readable message with details about the request state
+	Message string `json:"message,omitempty"`
+	// timestamp for the last update to this condition
+	LastUpdateTime unversioned.Time `json:"lastUpdateTime,omitempty"`
+}
+
+type CertificateSigningRequestList struct {
+	unversioned.TypeMeta `json:",inline"`
+	unversioned.ListMeta `json:"metadata,omitempty"`
+
+	Items []CertificateSigningRequest `json:"items,omitempty"`
+}
diff --git a/pkg/apis/certificates/validation/validation.go b/pkg/apis/certificates/validation/validation.go
new file mode 100644
index 00000000000..5779349b578
--- /dev/null
+++ b/pkg/apis/certificates/validation/validation.go
@@ -0,0 +1,63 @@
+/*
+Copyright 2016 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validation
+
+import (
+	"fmt"
+
+	apivalidation "k8s.io/kubernetes/pkg/api/validation"
+	"k8s.io/kubernetes/pkg/apis/certificates"
+	certutil "k8s.io/kubernetes/pkg/util/certificates"
+	"k8s.io/kubernetes/pkg/util/validation/field"
+)
+
+// validateCSR validates the signature and formatting of a base64-wrapped,
+// PEM-encoded PKCS#10 certificate signing request. If this is invalid, we must
+// not accept the CSR for further processing.
+func validateCSR(obj *certificates.CertificateSigningRequest) error {
+	csr, err := certutil.ParseCertificateRequestObject(obj)
+	if err != nil {
+		return err
+	}
+	// check that the signature is valid
+	err = csr.CheckSignature()
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// We don't care what you call your certificate requests.
+func ValidateCertificateRequestName(name string, prefix bool) []string {
+	return nil
+}
+
+func ValidateCertificateSigningRequest(csr *certificates.CertificateSigningRequest) field.ErrorList {
+	isNamespaced := false
+	allErrs := apivalidation.ValidateObjectMeta(&csr.ObjectMeta, isNamespaced, ValidateCertificateRequestName, field.NewPath("metadata"))
+	err := validateCSR(csr)
+	if err != nil {
+		allErrs = append(allErrs, field.Invalid(field.NewPath("request"), csr.Spec.Request, fmt.Sprintf("%v", err)))
+	}
+	return allErrs
+}
+
+func ValidateCertificateSigningRequestUpdate(newCSR, oldCSR *certificates.CertificateSigningRequest) field.ErrorList {
+	validationErrorList := ValidateCertificateSigningRequest(newCSR)
+	metaUpdateErrorList := apivalidation.ValidateObjectMetaUpdate(&newCSR.ObjectMeta, &oldCSR.ObjectMeta, field.NewPath("metadata"))
+	return append(validationErrorList, metaUpdateErrorList...)
+}
diff --git a/pkg/util/certificates/csr.go b/pkg/util/certificates/csr.go
new file mode 100644
index 00000000000..be1f7651c31
--- /dev/null
+++ b/pkg/util/certificates/csr.go
@@ -0,0 +1,40 @@
+/*
+Copyright 2016 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package certificates
+
+import (
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
+
+	"k8s.io/kubernetes/pkg/apis/certificates"
+)
+
+// ParseCertificateRequestObject extracts the CSR from the API object and decodes it.
+func ParseCertificateRequestObject(obj *certificates.CertificateSigningRequest) (*x509.CertificateRequest, error) {
+	// extract PEM from request object
+	pemBytes := obj.Spec.Request
+	block, _ := pem.Decode(pemBytes)
+	if block == nil || block.Type != "CERTIFICATE REQUEST" {
+		return nil, errors.New("PEM block type must be CERTIFICATE REQUEST")
+	}
+	csr, err := x509.ParseCertificateRequest(block.Bytes)
+	if err != nil {
+		return nil, err
+	}
+	return csr, nil
+}