Is it safe to send a CSR via email?

Question

I'm new to commercial SSL certificates and would like to know if a CSR that I generate is safe to send via email?

It may not be his CA asking for it. For instance I am generating CSRs for customers to give to their CA of choice to get their certificate. — MillerGeek, May 15 '14 at 21:44
Another use case is where an individual creates a CSR file on a server and then needs to submit it to an intermediary (e.g. designated ops person) for submission to a CA. — user12345, Feb 03 '16 at 20:07
Not sure of OP's intent, but I came to this question looking for an answer to, "is e-mail a safe *medium* to transport secure information, like public and private keys when I'm transferring them to the person/team I created them for". — Zach Young, Jul 13 '16 at 18:59

Luca Filipozzi · Accepted Answer · 2012-05-13T19:12:59.287

24

Sure but I don't think that the certificate authority should receive CSRs by email unless they are employing a mechanism (like signing your email with PGP/GPG) to ensure that the CSR came from you (rather than someone pretending to be you).

edited May 13 '12 at 19:12

answered May 13 '12 at 18:56

Luca Filipozzi

396
2
4

3

The CSR should only contain the public key. As long as you are not also including the private key in the same email, there is really nothing to worry about. Again, most reputable certificate authorities will provide a form on their website to paste your CSR into during the purchase process. – Josh OD Brown May 14 '12 at 01:19
4

It isn't clear from his question if he's personally submitting the CSR to the certificate authority. He could be emailing it to another admin (in house or at another organization) who will be submitting it to the certificate authority and requesting generation of an SSL certificate for joshu's server. – user12345 Mar 13 '14 at 21:22

score 13 · Answer 2 · answered May 14 '12 at 02:03

As the CSR only contains your public key: No, it's not dangerous to send it by email or publicize it in any other way. The only thing you can basically do with it is to generate certificates for that public key. Don't send your private key to anyone however.

Also, I'm not aware of any commercial SSL provider that wants to receive the CSR by email. Are you sure there isn't some text input field in their web interface?

score 10 · Answer 3 · answered May 07 '15 at 00:53

Goodness. No it is not safe to send the CSR by email. The comments above regarding the lack of any secrets in the CSR are fine but they miss the point.

A certificate authority, by signing a CSR and thus issuing a certificate, is stating that the contents of the CSR are true. As email is an insecure transport then there is no guarantee per se that the CSR received by the CA is the same as the one sent. An obvious compromise is that the email is intercepted, the CSR is changed in some way, or replaced, and and as the CA has no way of knowing that has happened signs something saying it is true when it is not what the requestor asked to be signed.

That is why any reputable CA will provide a web form secured by TLS in order to transfer the CSR securely.

The only case where email is acceptable is - as one of the comments above refers - if the email is verifiable and the content known to be unchanged. This is achieved generally by signing the email (PGP, S/Mime etc). Other options might be to encrypt the CSR and provide out-of-band and secure exchange of the encryption secret.

Strictly speaking, it's the accepting the CSR or issuing the certificate by email that's a problem. — Phil Lello, Mar 18 '16 at 17:54

score 3 · Answer 4 · answered May 14 '12 at 02:35

3

The CA has to be 100% confident that the CSR is received is the one you sent. If there's some way to do that by email, then that's fine. There's no sensitive information in the CSR.

answered May 14 '12 at 02:35

David Schwartz

4,203
24
21

score 1 · Answer 5 · answered May 14 '12 at 08:29

It's odd that a certificate authority asks you to send your CSR through email.

Generally, they asks you to copy/paste the CSR in a textarea on their website when you subscribe, while being connected in HTTPS.

Now, as explained in Wikipedia :

The CSR contains information identifying the applicant (such as a distinguished name in the case of an X.509 certificate), and the public key chosen by the applicant.

That means it's safe to send this by email because what is important in a PKI infrastructure is the private key, that you must keep to yourself.

Is it safe to send a CSR via email?

5 Answers5

Linked