5

I'm using OpenSSL. All references of openSSL focus on the following two commands to create a CSR; One require you to input an already existing private key (and derives the public key???) and the second will create a new key pair. I want to use MY public key not create a new one.

Create a CSR and private key:

openssl req -newkey rsa:2048 -keyout my.key -out my.csr

Create a CSR from an existing private key:

openssl req -key my.key -out my.csr

For the first option i don't see why you need the private key as a parameter in the command. I see a lot of websites saying that the CSR is encrypted, but that does not seem to be true. If you drop a CSR into a CSR decoder (ie http://www.sslshopper.com/csr-decoder.html) then it can be parsed; thus my only conclusion is that it is only encoded NOT encrypted.

Why is the private key inputted into these commands? How is the private key even utilized? If it is encrypting something, what is it encrypting?

If it is not used, can someone please tell me how to create a CSR with just the public key of my key pair?

Thanks in advance

425nesp
  • 6,936
  • 9
  • 50
  • 61
funa68
  • 909
  • 3
  • 12
  • 21

1 Answers1

7

CSRs are signed using the private key to prevent tampering in transit to the CA. Accordingly, you need the private key to create one.

It is possible to create a CSR that has no signature, but such constructions are not common and the openssl binary itself has no provisions for creating them.

When generating a new CSR+key pair using the openssl command you listed first it is not encrypting the CSR (as that's not a desirable behavior. The CSR is the public data you submit, not secret information), but rather the private key.

Paul Kehrer
  • 13,466
  • 4
  • 40
  • 57
  • What if i have TWO key pairs (PubKey1, PrivKey1, PubKey2, PrivKey2). First thing i do is move PrivKey1 to another machine. Is there a way where I can use PubKey1 to make the CSR (Without access to PrivKey1), but sign it with PrivKey2 to preserve integrity. Now assume there is a scenario where i need it to work like this, would this solve the integrity issue AND is there a way I can create the CSR with PubKey1 without PrivKey1. – funa68 Mar 05 '13 at 01:36
  • @jww - thanks for commenting. I agree what i was saying in the last comment does not make sense. I think i was just trying to run through hypothetical situations back in 2013. – funa68 Jun 17 '15 at 19:51
  • @Paul Kehrer: You seem to be suggesting that the openssl command is encrypting the private key ("the openssl command you listed first it is not encrypting the CSR (...), but rather the private key.") This isn't correct. The private key is not being encrypted, but just used to encrypt CSR's info. According to [RFC 2986](https://tools.ietf.org/html/rfc2986#section-4.2): "signature is the result of signing the certification request information with the certification request subject's private key." – Armin May 24 '17 at 17:11
  • @Armin In the question the command `openssl req -newkey rsa:2048 -keyout my.key -out my.csr` will both generate a private key and use it to sign a CSR. OpenSSL, by default, prompts for a password and uses that to encrypt the private key on disk. – Paul Kehrer May 25 '17 at 13:30