2

I am learning TLS protocol and I don't like one moment. A moment of CSR creating. Why is it encoded? What encoding does it use? And the biggest question is "Why a CSR-creating command requires a private key?" Isn't it a security breach?

The typical command is: 

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privatekey.key

Where "CSR.csr" is CSR-request and "privatekey.key" is my private key.

All I found in Google is "it is made for practical reasons". What reasons? It's very suspicious that my request for PUBLIC key publication requires my PRIVATE key for useless CSR encoding which contains just only my data and public key and which can be decoded by everyone. It's too suspicious. I think this breach was made for Certificate Authority to somehow get a private key during decoding and than provide it to some interested persons.

Igni Serpens
  • 89
  • 1
  • 1
  • 7

1 Answers1

3

Why is it encoded?

well, it is encoded according to Public Key Cryptography Standards (PKCS). For CSR two standards can be used: PKCS#10 (single request) or enveloped PKCS#7, which contains embedded PKCS#10 request and additional information (for example, external signatures, renewal certificate). X.509 standard series uses ASN.1 DER (distinguished encoding rules) encoding to convert structures to a byte stream. Encoding is used just for presentation layer which is easy to operate with and sind over wires.

Why a CSR-creating command requires a private key

private key is not included in the request, it is used to digitally sign the request. This step is necessary for CA to ensure that request wasn't tampered/modified between CSR creation and submission. So it is not a security breach. Only public key is included in the request. It is nearly impossible to deduce private key from public key.

Crypt32
  • 12,850
  • 2
  • 41
  • 70