IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [csr]

A Certificate Signing Request (CSR) is used in a hierarchical PKI to request a new certificate from a Certificate Authority.

Most commonly, a CSR is seen in an X.509 environment where the CSR conforms to the PKCS#10 Certificate Request Standard.

The end-user places into the CSR the public key they want certified, along with a proof-of-possession of the private key, and information about the organization or person requesting the cert such as company name, contact email, domain name, subjecAltName(s), desired validity period, etc.

In most protocols there is no guarantee that the information in the final certificate will appear exactly the same an in the CSR; the CA is allowed to modify names, expiry date, algorithms, etc according to its policies.

58 questions
1
vote
1 answer

I am unable to use an RSA key generated with the -aes-256-gcm option in openssl, help

When I run: openssl genrsa -aes-256-gcm -out rootca.key 4096 Then I get the following output: $ openssl genrsa -aes-256-gcm -out rootca.key 4096 Generating RSA private key, 8192 bit long modulus (2…
Example person
  • 163
  • 9
1
vote
2 answers

Create CSR for S/MIME certificate from existing OpenPGP key pair

While increasing my communication security as much as possible, I came across OpenPGP & S/MIME and already use an OpenPGP key pair in both of my mail clients (PC & smartphone). I believe the CSR must be generated based on a truely private key, hence…
Yoda
  • 113
  • 7
1
vote
1 answer

Is certificate signature encoded to ASN.1 format?

I'm working on a diagram to describe the process of issuing digital certificates, with the help of answers on my question here and some other research: I just read in the IETF that: The signatureValue field contains a digital signature computed…
mshwf
  • 147
  • 6
1
vote
1 answer

Help understanding CSR fields

I've made a CSR (Certificate Signing Request) in order to better understand how a PKI could be made and how it works. Using the following commands openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key openssl req -text -noout -verify…
Vilos
  • 13
  • 2
1
vote
1 answer

getting no subject alternative name present exception when the csr shows that the SANs are present

I am trying to setup ssl for grpc but no matter what I try I get a no subject alternative name present. I've verified the SANs are in the certificate signing request. The common name and also a SAN are the ip addr. I am trying to connect using the…
Jeff Gaer
  • 131
  • 3
1
vote
0 answers

openSSL use SAN from CSR

I am trying to create an ssl certificate from a CSR file containing a SAN using openssl, using the command line: openssl x509 -req -in keyshare.acceptance.privacybydesign.foundation.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out…
davidv1992
  • 11
  • 3
1
vote
1 answer

What should be OpenSSL .cnf file equivalent of certreq .inf for S/MIME?

Currently I'm using certreq to prepare CSRs for S/MIME certificates. I want to move away from it and start using OpenSSL for key/CSR generation. My .inf file looks like this: [Version] Signature="$Windows…
StanTastic
  • 173
  • 1
  • 9
1
vote
1 answer

Code-Signing: Why is the CA process different from web site certificates?

I recently went to renew a code signing certificate. In preparation I went through our usual process (as for web server certificates) of creating a key pair and a CSR with OpenSSL. When I then went through the renewal process, I was not give a…
Daniel Schneller
  • 113
  • 5
1
vote
1 answer

Certificate not trusted in Root CA Store - does it still enable secure connection?

I'm a bit new with certificates and have been unable to find an answer on this. We need to place controls around an application that is accessed via URL, we have moved the URL to citrix, but the certificate is not trusted so it shows the "not…
mks5251
  • 11
  • 1
1
vote
1 answer

How to auto renew OpenVPN client certificates using easyRSA

I have embedded devices that are located in different cites and connected to my OpenVPN server. I initialize my devices before deploying them and put the certificate/key pair through local network. When the devices go online at the remote site they…
Ahmad Karim
  • 111
  • 1
  • 4
1
vote
1 answer

Multiple CSRs from the same private key

Consider that I generate a new undisclosed private key using openssl: openssl genrsa -out personal.key 2048 I then generate the multiple CSR requests (called csr1.csr and csr2.csr): openssl req -new -sha256 -key personal.key -out csr1.csr openssl…
David Refoua
  • 153
  • 1
  • 13
1
vote
1 answer

Remote Private Key for Certificate Authority

Background I've been playing around with the idea of using an protected private key wrapped by an API, like Azure KeyVault or Amazon KMS keys to sign certificates for internal Private Key Infrastructure. Conceptually, this is similar to using the…
nbering
  • 3,988
  • 1
  • 21
  • 22
1
vote
2 answers

CA signature algorithm vs certificate public key algorithm

Is there any restriction on the CAs signature algorithm with respect to the public algorithm in the actual server/device certificate? For example, can a ECDHE_ECDSA_* certificate be signed by a CA with RSA and still be within spec? Is this…
vpillai
  • 15
  • 5
1
vote
1 answer

Is the CSR and public key the exact same thing?

Is the CSR and public key the exact same thing? I require the CSR - can I create a Public key from .cer and use it as CSR? I need the CSR for HPKP backup key generation. Is OpenSSL the only way to do this (Windows Machine)
Peter PitLock
  • 135
  • 5
1
vote
0 answers

CSR and private key generated twice but still prone to drown attack

we generated the CSR and private key Installed SSL cert and was Graded F as our server was prone to DROWN attack. Somehow the private key was the same as another key of an existing server that has SSLV2 We generated another CSR with another…
Serai
  • 11
  • 1
1
2
3 4