0

I am generating a certificate and a pkcs12 file using openssl according to the following steps:

//Create key
openssl genrsa -aes256 -out mykey.key 2048

//Create csr
openssl req -config openssl.cnf -key mykey.key -new -sha256 -out mycsr.csr

//Create cert
openssl ca -config openssl.cnf -extensions usr_cert -days 375 -notext -md sha256 -in mycsr.csr -out mycert.pem

//Create pkcs12 file
openssl pkcs12 -export -in mycert.pem -inkey mykey.key -out myp12.p12 -name NAME -CAfile ca.pem -caname MYCA

While I am able to use the certificates I generate to connect to my server I am confused about what is actually being created. I assumed that the public/private key pair was represented by the certificate itself and the private key but I have read recently that the private key needs to be created in order for the csr to be created. So my questions are:

1: Is the public key created implicitly during the csr creation process?

2: If the public key is created, why does my pkcs12 file not require it? Or is my original assumption that the certificate is the public key correct?

My main focus in asking this is to avoid potentially exposing my private key. Thanks for any answers in advance.

nb12345
  • 145
  • 1
  • 1
  • 13

1 Answers1

0

Seems that you can find all you answer regarding your first questino on this thread

Use RSA private key to generate public key?

Regarding the 2nd question... the X509 certificate is not the public key itself, but the X509 certificate binds a public key to an identity (the subject of the certificate). Hence when you create pkcs#12 file you puts inside the certificate, and the private key and then you also put the Certificate Autority certificate with your command.

I hope it can helps.

Seba

Seba
  • 91
  • 7