25

I'm new to commercial SSL certificates and would like to know if a CSR that I generate is safe to send via email?

joshu
  • 567
  • 2
  • 9
  • 13
  • 2
    It may not be his CA asking for it. For instance I am generating CSRs for customers to give to their CA of choice to get their certificate. – MillerGeek May 15 '14 at 21:44
  • Another use case is where an individual creates a CSR file on a server and then needs to submit it to an intermediary (e.g. designated ops person) for submission to a CA. – user12345 Feb 03 '16 at 20:07
  • 1
    Not sure of OP's intent, but I came to this question looking for an answer to, "is e-mail a safe *medium* to transport secure information, like public and private keys when I'm transferring them to the person/team I created them for". – Zach Young Jul 13 '16 at 18:59

5 Answers5

24

Sure but I don't think that the certificate authority should receive CSRs by email unless they are employing a mechanism (like signing your email with PGP/GPG) to ensure that the CSR came from you (rather than someone pretending to be you).

Luca Filipozzi
  • 396
  • 2
  • 4
  • 3
    The CSR should only contain the public key. As long as you are not also including the private key in the same email, there is really nothing to worry about. Again, most reputable certificate authorities will provide a form on their website to paste your CSR into during the purchase process. – Josh OD Brown May 14 '12 at 01:19
  • 4
    It isn't clear from his question if he's personally submitting the CSR to the certificate authority. He could be emailing it to another admin (in house or at another organization) who will be submitting it to the certificate authority and requesting generation of an SSL certificate for joshu's server. – user12345 Mar 13 '14 at 21:22
13

As the CSR only contains your public key: No, it's not dangerous to send it by email or publicize it in any other way. The only thing you can basically do with it is to generate certificates for that public key. Don't send your private key to anyone however.

Also, I'm not aware of any commercial SSL provider that wants to receive the CSR by email. Are you sure there isn't some text input field in their web interface?

10

Goodness. No it is not safe to send the CSR by email. The comments above regarding the lack of any secrets in the CSR are fine but they miss the point.

A certificate authority, by signing a CSR and thus issuing a certificate, is stating that the contents of the CSR are true. As email is an insecure transport then there is no guarantee per se that the CSR received by the CA is the same as the one sent. An obvious compromise is that the email is intercepted, the CSR is changed in some way, or replaced, and and as the CA has no way of knowing that has happened signs something saying it is true when it is not what the requestor asked to be signed.

That is why any reputable CA will provide a web form secured by TLS in order to transfer the CSR securely.

The only case where email is acceptable is - as one of the comments above refers - if the email is verifiable and the content known to be unchanged. This is achieved generally by signing the email (PGP, S/Mime etc). Other options might be to encrypt the CSR and provide out-of-band and secure exchange of the encryption secret.

user75995
  • 101
  • 1
  • 2
3

The CA has to be 100% confident that the CSR is received is the one you sent. If there's some way to do that by email, then that's fine. There's no sensitive information in the CSR.

David Schwartz
  • 4,203
  • 24
  • 21
1

It's odd that a certificate authority asks you to send your CSR through email.

Generally, they asks you to copy/paste the CSR in a textarea on their website when you subscribe, while being connected in HTTPS.

Now, as explained in Wikipedia :

The CSR contains information identifying the applicant (such as a distinguished name in the case of an X.509 certificate), and the public key chosen by the applicant.

That means it's safe to send this by email because what is important in a PKI infrastructure is the private key, that you must keep to yourself.

Cyril N.
  • 2,649
  • 2
  • 18
  • 28