34

I've generated a self certified SSL cert for testing a new web site. The time has come for the site to go live and I now want to purchase a cert from GeoTrust. Can I use the same CSR that I generated for the self cert, or do I need to create a new one?

Rich

Coops
  • 5,967
  • 1
  • 31
  • 52
kim3er
  • 475
  • 2
  • 6
  • 7

4 Answers4

27

As long as your using the same key, domain (aka common-name), contact details and validity period you should be able to use the same CSR.

Though to be honest generating a CSR is a pretty simple job, so if you need to amend the contact details (which a lot of SSL providers are strict on) it's not a big deal.

Coops
  • 5,967
  • 1
  • 31
  • 52
  • 1
    I agree. Generating a CSR is such a trivial task I don't see why you'd even bother trying to reuse one. – joeqwerty Jul 01 '11 at 12:18
  • 5
    Once you have OpenSSL installed, you can generate a new CSR in about 30 seconds. And if you think it will take you much longer- *then definitely do it because you need the practice*!!!!! – Austin ''Danger'' Powers Mar 31 '13 at 02:17
  • 2
    Not applicable to the OP's case, but if you're looking to use certificate pinning, it's more practical to use the same CSR than to update your client side apps. – black May 22 '16 at 06:29
  • If the key, domain, and details are the same, the CSR will be identical. – graywh Jun 05 '19 at 15:31
  • "and validity period" FWIW, OpenSSL won't let me generate a CSR with a validity period: `Ignoring -days; not generating a certificate`. Was that part of the answer a mistake? – Ajedi32 Nov 02 '20 at 19:29
18

For your example case, I don't think it's worth trying to reuse CSRs. However, for a large diverse team Apple iOS developers (like I have) there is a good reason to do this. We create (actually, ask Apple to create) all our signing certs and push certs off the same private key. That way we can all collaborate easily on our 85+ apps. For this reason, we keep a single CSR lying around and always use the same one for as long as the key is valid.

As far as I know, there is no reason to repeatedly generate CSRs from a single private key. I'd love to be corrected if I am wrong.

Bruno Bronosky
  • 4,429
  • 3
  • 24
  • 32
7

The main benefit of having limited-duration certificates is to reduce the damage if your private key is leaked. Somebody possessing the private key can otherwise impersonate being you forever if you reuse the CSR, because re-using the CSR implies reuse of your private key as well.

Please don't do that, it's better to automate generation of both the private keys as well as the CSRs and find convenient ways to distribute the ever-changing private keys to application build servers and push servers. Most mere mortal developers would normally never need to do a release/distribution-build for the app store anyhow, so won't need the private keys.

MadHatter
  • 78,442
  • 20
  • 178
  • 229
Stefan L
  • 210
  • 2
  • 3
  • 1
    While it's true that "re-using the CSR implies reuse of your private key as well", it does not mean that "impersonate being you forever if you reuse the CSR". If you decide to use a key for N months, it's fine to use the same CSR for those N months. – Bruno Bronosky Apr 06 '17 at 17:45
  • 2
    Yes, you're right Bruno. I assumed the people reusing the CSR did so out of ignorance and thus continued that practise "forever", however there might of course be a few who are aware of the issues and do so based on careful planning for a limited time. – Stefan L Apr 07 '17 at 06:53
2

You can indeed in theory reuse the same CSR, as this is just a container for

  • your Public Key (only Numbers used for RSA encryption (specific maths) )
  • your "Subject" details (who you are, what domain, etc ...) Text used to Identify the owner of that Public Key

This is what a certificate (short for PublicKey Certificate) is about after all

But as noted in other answers, it is a good pratice to change private key regularly, so that implies new Certificate, and so new CSR to get it.

You can easily look at the contents of a CSR

e.g.

$ openssl req -new -batch -subj "/CN=My Common Name/OU=My Org Unit/O=My Organisation" -sha256 -newkey rsa:2048 -keyout private.key -nodes -out request.csr
Generating a 2048 bit RSA private key
.............................................................................................+++++
.........+++++
writing new private key to 'private.key'
-----

$ ls
private.key  //  keep that private, the PublicKey side is easily be generated from this
request.csr // your PublicKey + Subject details

CSR

$ openssl req -in request.csr -text -noout
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: CN = My Common Name, OU = My Org Unit, O = My Organisation
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:                    ///////// Matches the PrivateKey modulus
                    00:b1:e8:de:e6:bf:21:45:51:75:15:23:5e:6e:7a:
                    7d:95:53:e5:d5:ec:5b:38:cd:7f:38:2d:53:8a:54:
...
                    fe:b5:78:de:9b:c1:ee:c1:51:6f:fd:fb:0e:62:09:
                    03:87
                Exponent: 65537 (0x10001)   ///////// Matches the PrivateKey publicExponent
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         a1:44:1f:b2:ec:c0:82:bc:99:da:69:ce:3e:77:9f:46:51:95:
...
         3b:2d:84:e3:73:ac:be:c8:da:29:fd:62:90:11:dd:8a:a6:4f:
         7b:f8:ac:f1

And PrivateKey

$ openssl rsa -in private.key -text -noout
// all the below are numbers that takes part in Mathematical encryption (search for RSA maths)
RSA Private-Key: (2048 bit, 2 primes)

// The Numbers that can be freely published
modulus:
    00:b1:e8:de:e6:bf:21:45:51:75:15:23:5e:6e:7a:
    7d:95:53:e5:d5:ec:5b:38:cd:7f:38:2d:53:8a:54:
...
    fe:b5:78:de:9b:c1:ee:c1:51:6f:fd:fb:0e:62:09:
    03:87
publicExponent: 65537 (0x10001)

// The Numbers that must be kept private !
privateExponent:
    0a:81:73:d8:30:65:28:90:bc:d7:38:b5:74:d4:aa:
...
    b1:9b:30:2e:a2:dd:46:c1:10:0f:b0:da:ac:b6:ea:
    01
prime1:
    00:e0:28:01:87:95:70:d0:b8:21:07:e0:4f:96:a6:
...
    66:28:8f:3d:d7:eb:e6:b4:81
prime2:
    00:cb:2e:fe:1b:b6:30:ea:8d:9e:6d:23:83:d8:b6:
...
    4d:64:39:5c:9c:18:a0:14:07
exponent1:
    22:e2:36:f2:b9:af:f7:db:5f:d0:90:f8:f1:d1:ff:
...
    3a:31:a8:87:2c:c0:17:81
exponent2:
    5a:8b:3d:77:f1:ef:c8:86:85:a4:13:20:8d:31:a4:
...
    a5:ba:1e:37:fd:8d:50:7f
coefficient:
    00:d3:d3:b6:81:4b:a9:c2:aa:ff:e1:07:cb:de:ea:
...
    5c:e9:3b:d3:f7:67:82:c3:7f
Julien
  • 121
  • 3