1

I use the following command to create your private key and CSR (using the ECC algorithm):

openssl ecparam -out ECC.key -name prime256v1 -genkey -noout
openssl req -new -key ECC.key -out ECC.csr -sha256 -subj "/C=VN/O=Custom Organization/OU=Custom Organizational Unit/CN=*.domain.tld"

After creating the CSR and the private key, I conducted a TLS certificate signed by Cloudflare to install on the original server. But when I check the SSL certificate on this site: Certificate Key Matcher.

When I Check if a Certificate and a Private Key match use the certificate created by Cloudflare and the private key I created above, the result is: The certificate and private key match!

But when I Check if a CSR and a Certificate match use the Certificate created by CloudFlare and CSR that I created above, the result is: The certificate and CSR do NOT match!

Why happen this problem? Is Cloudflare CA didn't use the information in my CSR to build a certificate?

Tần Quảng
  • 37
  • 4
  • 3
    I really don't think I would take the private key for my production cert and give it to some website ... – Mike Ounsworth Apr 07 '22 at 04:47
  • @MikeOunsworth CloudFlare's Origin certificate is untrusted, can't be used in practice without pointing domain names to Cloudflare's server. I'm just checking it, because I see the information Issuer on Cloudflare's Origin certificate provides different from the information on the CSR I use. – Tần Quảng Apr 08 '22 at 05:42

1 Answers1

2

By design, Cloudflare's WAF must MITM the connection between the client and your server, in order to perform its function. See Cloudflare's free SSL options require trusting them; what could they do to change that? and CDN end to end encryption? for more information.

To do this, Cloudflare must create a certificate for your site, keyed to a different private key than the one you created, which they store in their HSM. So, it would be expected that they public key in the certificate created by Cloudflare would not match the public key that corresponds with the private key that you created.

Notwithstanding, instead of using an online tool that requires you to upload your private key, you can verify that your private key corresponds with public key in your CSR and your certificate locally, using openssl.

As an example, I started with the commands that you posted in your question, to create an ECC private key, and a CSR:

openssl ecparam -out ECC.key -name prime256v1 -genkey -noout
openssl req -new -key ECC.key -out ECC.csr -sha256 -subj "/C=VN/O=Custom Organization/OU=Custom Organizational Unit/CN=*.domain.tld"

Then, you can use the command below, to show the public key that corresponds with the private key in the ECC.key file:

openssl ec -in ECC.key -pubout

This produces:

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKd3Wf7he+AReKhU45r+Bp/p8VeBQ
VCLsCPVkWMQc7jjMytJE0DWCY/FcJ+DepdUE7dSGmHIqu2VnmlO0uDJzGA==
-----END PUBLIC KEY-----

The command below can be used to extract the public key from the ECC.csr file:

openssl req -in ECC.csr -noout -pubkey

This produces:

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKd3Wf7he+AReKhU45r+Bp/p8VeBQ
VCLsCPVkWMQc7jjMytJE0DWCY/FcJ+DepdUE7dSGmHIqu2VnmlO0uDJzGA==
-----END PUBLIC KEY-----

As you can see, the public key extracted from ECC.csr matches the public key derived from ECC.key.

The following command can be used to extract the public key from a certificate file:

openssl x509 -pubkey -noout -in cert.pem
mti2935
  • 19,868
  • 2
  • 45
  • 64
  • Yes, although all information in Origin certification is different from the information on CSR, only the public key is similar to CSR. – Tần Quảng Apr 14 '22 at 09:47