IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [csr]

A Certificate Signing Request (CSR) is used in a hierarchical PKI to request a new certificate from a Certificate Authority.

Most commonly, a CSR is seen in an X.509 environment where the CSR conforms to the PKCS#10 Certificate Request Standard.

The end-user places into the CSR the public key they want certified, along with a proof-of-possession of the private key, and information about the organization or person requesting the cert such as company name, contact email, domain name, subjecAltName(s), desired validity period, etc.

In most protocols there is no guarantee that the information in the final certificate will appear exactly the same an in the CSR; the CA is allowed to modify names, expiry date, algorithms, etc according to its policies.

58 questions
9
votes
1 answer

CSR expiry date / validity date

If I create a CSR with openssl and set the expiration day to 5 years is it possible that the signing CA will set the expiry date to say one year ? Which one takes precedence ? EDIT: ok, I think the answer from the StackOverflow post answers the…
cyzczy
  • 1,518
  • 5
  • 21
  • 34
4
votes
1 answer

What is the risk of someone intercepting my CSR and private key

In the process of getting a SSL certificate, I generated a CSR and the private key and for some reason had to share them. What could a malicious person do with those two files ?
thesearentthedroids
  • 143
  • 3
4
votes
1 answer

Why does SubjectAltName not turn up in my CSR?

Does the CSR generated contains the SubjectAltName I have configured the openssl.cnf file to support extensions and when i dump the CSR i can see subject is available not the SubjectAltName This is how CSR is generated: openssl req -new -sha256…
anish
  • 173
  • 2
  • 6
3
votes
1 answer

Should Subject Public Key Information be the same in 2 different certificates created from the same CSR?

Recently, I've worked on setting certificate pinning for our mobile app. I'm using the hash of the Subject Public Key Information (SPKI) for the pinning. Now, I was under the impression that SPKI will be the same if I'll create another certificate…
Omer Levi Hevroni
  • 133
  • 6
3
votes
2 answers

Why is generating Certificate Signing Request (CSR) supposed to be platform/machine specific?

I've seen questions Is it true that certificates requested with a specific CSR can only be used on the machine where the CSR was generated? and CSR generation origin? and Generate CSR code on local machine ; I've also seen…
Sasha
  • 33
  • 1
  • 6
3
votes
1 answer

Why does the CSR contains an explicit curve when generating private key with genpkey?

When I generated the SSL key using ecparam, I got a CSR with a named curve: $ openssl ecparam -genkey -out ecparam.key -name prime256v1 $ openssl req -new -sha256 -key ecparam.key -out ecparam.csr -subj "/CN=Test" $ openssl req -text -in ecparam.csr…
Lie Ryan
  • 31,089
  • 6
  • 68
  • 93
3
votes
1 answer

How is PKCS#10 and x509 related?

I'm unable to make sense of them using the RFCs. Can anyone help? When I use this function, http://www.pyopenssl.org/en/stable/api/crypto.html#x509req-objects , am I creating a PKCS#10 format CSR?
Abhijeet Rastogi
  • 171
  • 1
  • 1
  • 5
2
votes
1 answer

How is public key included in the CSR?

I've read a lot of articles on the PKI and digital certificate topics because it's very rare to find one article covers all the aspects; also the topic is confusing at the beginning, (this beautiful question is my last reading: How do certificates…
mshwf
  • 147
  • 6
2
votes
1 answer

How to generate CSR(Certificate Signing Request) using C++ and openssl

I am new to openssl. I am trying to implement the program to generate CSR using openssl and c++. I need to implement the following commands using C++. openssl req -new -newkey rsa:1024 -nodes -keyout key.pem -out x509Req.pem. I have tried a sample…
Kumar
  • 23
  • 1
  • 4
2
votes
1 answer

Invalid CSR when using Let's Encrypt web tools

I've created a CSR using IIS. When I paste the text here... https://www.sslshopper.com/csr-decoder.html ... it validates correctly. But when I use the Let's Encrypt tools here... https://zerossl.com/free-ssl/#crt https://gethttpsforfree.com/ ...…
Ian Warburton
  • 1,147
  • 1
  • 10
  • 16
2
votes
0 answers

CSR Generation for Root and Subdomain FQDNs

I need to secure services operating under my root domain (e.g. example.com) and one or more services operating under subdomains of that root domain (e.g. api.example.com, mail.example.com, etc). I can request single-domain, multi-domain, or wildcard…
nmagerko
  • 121
  • 1
2
votes
1 answer

Checking the certificate sent back by the CA

If a client sends a CSR to the CA and gets back a certificate signed by the CA, then is it standard practice for the client to verify if the certificate is indeed signed by the CA or can the client trust the CA & assume that there is no compromise…
user93353
  • 1,982
  • 3
  • 19
  • 33
1
vote
1 answer

SSL certificate match with private key but doesn't match with CSR

I use the following command to create your private key and CSR (using the ECC algorithm): openssl ecparam -out ECC.key -name prime256v1 -genkey -noout openssl req -new -key ECC.key -out ECC.csr -sha256 -subj "/C=VN/O=Custom Organization/OU=Custom…
Tần Quảng
  • 37
  • 4
1
vote
0 answers

When I provision (sign) keys to end-users, can I force the definition of certificate expiration (different from CA expiration)?

Before I proceed to testing this myself I wanted some clarity. I have a basic understanding of SSH and Cryptography but not completely sure about this plan. I want to implement a key rotation policy by enforcing that end user keys are only valid for…
bitoiu
  • 111
  • 2
1
vote
1 answer

CSR with no keyUsage or extendedKeyUsage specified and invalid DNS in CommonName - will anyone sign it?

A vendor's software is generating CSRs with no keyUsage or extendedKeyUsage set and in combination with this they contain commonNames that are not fully qualified domain names. If I submit them to Digicert as "Private SSL" certificates they sign…
Chagrin
  • 11
  • 1
1
2 3 4