2

Perhaps the answer is no, and perhaps this is a dumb question. However I am trying to understand the underlying principles better.

My understanding of certificate signing process.

  1. I generate a key pair.
  2. I create a CSR. [CSR is essentially the public key + DN information signed using the corresponding private key to prove ownership of the private key.]
  3. I provide the CSR to a CA.
  4. CA verifies my ownership of DN and the private key.
  5. CA signs the public key, DN and validity using its private key, hashes this signature and appends to create a certificate.

Scenario:

  1. I have a public key for which I do not possess the corresponding private key.
  2. Can I create a CSR without the private key?
  3. Can I create a certificate for this CSR if I am the CA and I ignore to validate the private key ownership?
  4. Can the above be trivially demonstrated using openssl commands which are available or does it need tweaks and custom tools?
hax
  • 3,851
  • 1
  • 16
  • 34

3 Answers3

2

Your understanding of certificate signing process

Yup, I think you generally have this right. One minor quibble is that it's not necessarily the DN that's being verified; nowadays the important information is usually carried in the SubjectAlternativeName field(s). Often a CA will only require the CSR to contain a public key and signature, and any other metadata in the CSR is ignored and taken instead from your account info.

Also, to elaborate on your 2., the CSR format is specified in RFC 2989 and does indeed include a mandatory signature field. Any CA worth their salt should validate an incoming CSR by checking that the signature validates under the public key contained in the CSR and reject the CSR if it does not.

 4.2 CertificationRequest

   A certification request shall have ASN.1 type CertificationRequest:

   CertificationRequest ::= SEQUENCE {
        certificationRequestInfo CertificationRequestInfo,
        signatureAlgorithm AlgorithmIdentifier{{ SignatureAlgorithms }},
        signature          BIT STRING
   }

Scenario:

  1. I have a public key for which I do not possess the corresponding private key.
  1. Can I create a CSR without the private key?

Technically yes, you can throw any random bits into the signature field and have a syntactically-valid CSR, but anyone trying to process the CSR should reject it because it has a broken signature.

  1. Can I create a certificate for this CSR if I am the CA and I ignore to validate the private key ownership?

If you're the CA you can do whatever you like. You don't even need a CSR; if you have access to the CA private key then you can create certificates containing data you want by producing the X.509 ToBeSigned (TBS) structure in a hex editor, signing it, and stuffing the TBS structure and signature bytes into the right place in an X.509 object.

  1. Can the above be trivially demonstrated using openssl commands which are available or does it need tweaks and custom tools?

This I would need to go away and play with, which I don't have time for right now. The core question is whether openssl has a setting to disable CSR Proof-of-Possession (PoP) checks when issuing a cert from a CSR. If yes, then it'll happily sign any broken CSR you give it.

Community
  • 1
Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
  • 1
    #4: sort-of. OpenSSL commandline won't _disable_ verifying the signature, but in 1.0.2 up you can create a CSR containing _and_ signed by a (bogus) keypair whose privatekey you have, then use `openssl x509 -req -CA [-CAkey] -force_pubkey [other]...` which will verify the signature using the bogus key but put in the cert a different pubkey whose privatekey you don't need. See https://security.stackexchange.com/questions/82284/ https://crypto.stackexchange.com/questions/19452/ https://security.stackexchange.com/questions/44251/ – dave_thompson_085 Feb 11 '21 at 04:28
0

Can I create a CSR without the private key?

you can create, but not sign. CSR is a signed content and public key embedded in CSR is used to validate signature on CSR. If you don't possess the corresponding private key, you cannot craft signature verifieable with public key in CSR.

Can I create a certificate for this CSR if I am the CA and I ignore to validate the private key ownership?

technically, yes. You can do whatever you want. But other CAs won't. So it makes zero sense in general.

Crypt32
  • 5,750
  • 12
  • 24
0

The certificate is like a LOCK. Your private key is the key to the lock.

It is true that the CA does not require you to send the private key over (that's a bit of a security risk, if you think about Man in the middle...).

But the Cert that is generated is meaningless - since only your private key can unlock that Cert.

So - you getting that cert is not going to support any use case - encryption or signing. That generated Cert is a LOCK that cannot never be unlocked...and will eventually be discarded (not supported by anyone). You could say - well, I am the CA - I support it by importing that into my trusted vault..

That's still not going to work, if you do not have the private key.

user2736158
  • 101