Can any field in a CSR be overwritten in the issued cert?

Question

Let's say you have a CSR that filled with incorrect data and you need to issue a certificate to the associated private key holder. The private key holder will not issue another CSR and will not disclose their private key. Can you overwrite every data field when you issue a corresponding certificate?

There are a lot of questions that ask about overwriting specific data fields at signing (subject, startdate), but I would like to know what cannot be changed by the CA.

The CA can technically choose any startdate within the limits of ASN.1 GeneralizedTime (up to 9999-12-31), and enddate too, but it can't 'overwrite' the CSR because the CSR has no dates that could be overwritten ever. (For a _publicly trusted_ CA, CABforum rules now require the validity to extend no more than a little over 1 year from issuance; until fairly recently it was a little over 3 years.) — dave_thompson_085, Mar 10 '22 at 02:45

score 3 · Accepted Answer · answered Mar 09 '22 at 21:34

The issuing authority has no requirement or responsibility to respect anything in the Certification Request (CSR), except the public key.

The StartSSL Certificate Authority, for example, did exactly that: Discard everything except the public key from the CSR, filling in everything else based on your account.

So, it's all down to whatever process exists with a specific issuing authority, and what tooling they have for working with that process.

thanks specifically for the real world reference. – Liam Kelly Mar 10 '22 at 13:51 — Liam Kelly, Mar 10 '22 at 13:51

score 0 · Answer 2 · answered Mar 09 '22 at 21:35

0

Other than the public key - yes.

Whether the software used can do so is a different matter. Of course, it would be foolhardy to change the various fields and extensions on a whim, as the CA would lose its trustworthiness.

answered Mar 09 '22 at 21:35

garethTheRed

1,392
7
12

Can any field in a CSR be overwritten in the issued cert?

2 Answers2