3

I am trying to create a Certificate Request (CSR) from the below method where I need to give the private key, my understanding is that CSR needs/contains only the public key information with the other details about the requestor like Company Name, etc. But if extract the public key and pass while creating the CSR it throws the below error, So I am wondering why it requires a private key , although I understand private key contains the public key as well , Is it just because the public key is trusted when it's with the private key in the form of key-pair or something else ?

openssl genrsa -out ~/domain.com.ssl/domain.com.key 2048

openssl req -new -sha256 -key ~/domain.com.ssl/domain.com.key -out ~/domain.com.ssl/domain.com.csr

Trying to generate using public key:

openssl rsa -in  domain.com.key.pem -pubout domain.publickey

openssl req -new -sha256 -key domain.publickey -out cert.csr

unable to load Private Key
140258108909384:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: ANY PRIVATE KEY
mic4ael
  • 7,974
  • 3
  • 29
  • 42
Sandy
  • 41
  • 4
  • may be you can check this out. https://stackoverflow.com/questions/56449727/why-private-key-is-used-amidst-creation-of-csr – CafeBaby Aug 18 '22 at 09:43
  • may be you can check this out [**RFC2986**](https://stackoverflow.com/questions/56449727/why-private-key-is-used-amidst-creation-of-csr) – CafeBaby Aug 18 '22 at 09:48

1 Answers1

7

The whole point of the certificate is to establish a relationship between the private key and you as the identity in the certificate.

  • The CSR is signed by the private key and verified by the CA (with the public key in the CSR), so he knows you have that key pair.
  • So he verifies offline that you are who you say you are, own that domain, etc., then he signs it with his private key.
  • So then if a third party trusts him, he can trust what the certificate says, which is that its owner is who it says.
  • Then if he can establish that the peer he is talking to owns that certificate, via another signature in the SSL handshake using your private key, he knows that the peer is you.
user207421
  • 305,947
  • 44
  • 307
  • 483
  • 1
    Please read what I wrote here. I *specifically said* 'the CSR is signed by the private key', and I also said why: 'so he knows you have that key pair'. Don't ask me to confirm it. All I can do is to say it all again. Your last sentence doesn't begin to make sense. CSR generation includes the signing step, which involves the private key. And I had already answered the question. – user207421 Aug 12 '15 at 03:45
  • 1
    If my understanding of what signing mean is this ,To sign a Message/CSR, you create its hash, and then encrypt the hash with your private key. if the CSR is encrypted then I am wondering how does the CA knows the public key of mine to decrypt the contents of my CSR since I am not sending the public key separately other than through the CSR ? or Is it only a portion of the CSR is signed and the public key is not ? Please clarify. – user1370642 Aug 12 '15 at 15:39
  • 2
    @user1370642 Your understanding of signing is a bit off. The CSR includes your public key and identity information *in plaintext*, and *also* a signature generated with your private key. The CA uses the plaintext version of your public key to verify (not decrypt) your signature. This is how signing generally works: the signature is *added to* the data being signed, not sent instead of the data. – Gordon Davisson Aug 12 '15 at 23:17