Could I delete .csr files once the key was signed by CA

Question

I'm creating my own openvpn server.

The Certificate authority is located on a separated host.

There is two kind of clients: which that just send a .csr and to which i send the .crt as an answer and the other which I build myself.

In the second case, I create the .key and .csr by using:

openssl req -days 3652 -nodes -new -keyout NewClient007.key -out NewClient007.csr

than the signed certificate by:

openssl ca -days 3652 -out NewClient007.crt -in NewClient007.csr

So, from there, I will install both .key and .crt to the new client and delete .key from the CA.

If I rightly understand, the .crt may be useful if I want to revoke the key, in future (but is copied to Id.pem, where Id is the index number).

Current status, where ssl files are located:

server:
   ca.crt           CA's public certificate
   server.crt       server public certificate
   server.key       server private key
   crl.pem          CA signed certificates revocation list
   dh1024.pem       Diffie-Hellman parameters file

certificate authority:
   ca.key           CA's private key
   ca.crt           CA's public certificate
   index.txt        Index of signed keys
   serial           number of next entry in index.txt
   index.txt.attr   attributes for index file
   ClientXXXX.crt   All clients certificates
   ClientXXXX.csr   All clients signing requests
   YY.pem           Copy of clients certificates according to index nr.

clients:
   ca.crt           CA's public certificate
   ClientXXXX.crt   The client certificate
   ClientXXXX.key   The client key

When I build the client key myself, they are immediately shred and deleted once installed in client.

So I think (but not sure) I could quietly delete all ClientXXXX.csr and ClientXXXX.crt from CA... ... So there is my question:

could I ever need to access .csr file again or could I definitively delete them?

score 12 · Accepted Answer · answered Mar 19 '13 at 16:12

The Certificate Signing Request (CSR) is of no use once you've obtained your certificate. It's merely one of the vehicles that can be used to give the CA your public key as part of the application process, so that they can issue a certificate.

You'll now be able to get the public key again from the certificate itself anyway.

In fact, in this particular format, you'll be able to get the public key from the .key file:

openssl rsa -in NewClient007.key -pubout

In fact, you'll also be able to re-generate the CSR using this:

openssl req -new -key NewClient007.key -out NewClient007.csr

(Note that you don't need the -days 3652 option when generating the CSR, since a CSR doesn't have not-before/not-after dates, unlike X.509 certificates. This is only useful if you want to generate a certificate during this step.)

I would, however, suggest using -newkey rsa:2048 or -newkey rsa:4096 instead of relying on the default key size, which is often 1024 bits.

score 5 · Answer 2 · answered Mar 19 '13 at 16:07

5

Yes once the certificate is signed you no longer need the signing request.

answered Mar 19 '13 at 16:07

David George

189
2

+1 as welcome on sse! (but your answer is something light;) – F. Hauri - Give Up GitHub Mar 19 '13 at 17:00

score 3 · Answer 3 · answered Mar 19 '13 at 16:32

Normally, you do things in that order:

On your openvpn server, you create the key pair and the certificate request, with openssl req.
You transport the certificate request (the ".csr" file) to the CA.
The CA issues the certificate (in your case, with openssl ca), producing the ".crt" file.
You transport the certificate back to the openvpn server.

The certificate request contains only the public key, not the private. It can travel without any protection against eavesdroppers, because it contains nothing confidential. You still have to make sure that what the CA obtains is indeed the request sent by the client, in case the transmission could be altered with.

Once the certificate has been issued, the certificate request can be deleted because it has no further use. But you can keep it as a guide for subsequent requests (e.g. the one you will do ten years from now); since there is nothing confidential in that request, there is no need to protect its archival. Similarly, while the CA needs not keep a copy of the certificate itself, it is considered good practice to do it anyway. Most CA software do that automatically (by using the OpenSSL command-line tool, you are choosing the "hard path").

It is best if the private key is generated on the openvpn server itself and never leaves that server, as explained above. Generating the key on the CA machine and then transporting it to the openvpn server raises some issues: how do you make sure that the key is not spied upon during that transfer ? How do you make sure that no copy of that key lingers on the CA hard disk ?

+1, thank for explaining step by step! ( I only build client key on CA for special case where the client is a thin embed, built by scripts of mine by the same securised CA host... And the CA's disk is backuped on remote host, but encrypted.) — F. Hauri - Give Up GitHub, Mar 19 '13 at 16:57

Could I delete .csr files once the key was signed by CA

3 Answers3

Linked