1

Is the CSR and public key the exact same thing?

I require the CSR - can I create a Public key from .cer and use it as CSR?

I need the CSR for HPKP backup key generation.

Is OpenSSL the only way to do this (Windows Machine)

1 Answers1

3

No, they are not the same. A public key is actually one member of a "key pair", consisting of both a public key and the matching private key. The CSR is a Certificate Signing Request, which is just a form you fill out.

When creating a CSR, you attach your public key to it and fill in other needed data; you then send it to a Certificate Authority (CA). The CA takes the data from your form, and if you pass all their validation tests (i.e. your credit card is charged), they use the data from your CSR to create a certificate, and then they sign your new certificate with their "root" certificate. This gives the rest of the world assurance that the public key found on the certificate is actually associated with you.

Normally, nobody but the CA needs a CSR.

In your case, it sounds like you're stuck in the middle of someone else's process that hasn't been described adequately. If this "HPKP backup key generation" (whatever that is) is creating a public/private key pair, they may be asking for a "blank" CSR to use as a template to request a new certificate every time they generate a new backup key. (Really, they probably just need the data fields you want on the certificates.) But that CSR is always incomplete because the public keys haven't yet been generated.

You probably need to sit down with both the certificate people and the HPKP people, and figure out who actually needs what.

John Deters
  • 33,650
  • 3
  • 57
  • 110
  • CSR must always contain a public key, as this is what CA is ultimately signing. I am not sure you could produce "blank CSR" and still call it CSR. See RFC 2986 for details. – Kirill Sinitski Apr 06 '17 at 21:54
  • OK I got it now. @JohnDeters you are correct on the part that I needed to know. I dont need the CSR of the existing certificate. That would not be solving the issue. I need to create a new private key which will then be the backup and which I will use in case my private key gets compromised. So its not a backup of the existing CSR, its a new CSR that will act as a backup. – Peter PitLock Apr 07 '17 at 05:43