Why is the certificate that results from a CSR usually contained in a PKCS#7? The signature of the certificate is contained within the certificate itself so there's no need for an external signature anyway and looking at some of the result PKCS#7 response there's no additional signature present anyway so there's actually zero benefit from encapsulating it in a PKCS#7?
Asked
Active
Viewed 645 times
0
-
You'd have to ask whoever's running that particular CA. I don't think there's a technical reasons why they're not just returning the plain x509 cert. I'm guessing it's just the way that *they* do things. At least whenever I requested TLS certs for webservers from public CA I don't think I've ever received a p7b file. – StackzOfZtuff Mar 20 '18 at 12:55
1 Answers
1
PKCS#7 is a container and can include multiple certificates. When CA responds to client it puts in the container signed certificate and all required intermediate CA certificate you may need to install in order to correctly use the issued certificate.
Crypt32
- 5,750
- 12
- 24
-
-
2Because PKCS#12 is used to store certificate and associated private key. CA response never returns private key, because CA don’t know it. – Crypt32 Jan 22 '18 at 16:33