Is the CSR encrypted withe the private key?

Question

Is the CSR(Certificate Signing Request) containing the public key and the organization details encrypted with the private key?

-If yes, How does the certificate Authority decrypt it, as the public key in the CSR is also encrypted?

-If no, How can the CA be sure that the CSR issuer has the private key?

It may be handed and the hash is encrypted. However, this wouldn't help as the attacker could just change both. — dan1st, Jun 13 '20 at 06:53
Signing is creating a hash and encrypting it with the private key. — dan1st, Jun 13 '20 at 07:02
@dan1st"It may be handed and the hash is encrypted. However, this wouldn't help as the attacker could just change both." What's handed? the private key? Private key is never part of the CSR — Siri, Jun 13 '20 at 07:15
The hash is "encrypted" with the private key so that only the issuer can change it. However, the CSR would need to be encrypted with the public key of the CA too. — dan1st, Jun 13 '20 at 07:17
@dan1st No , the CA generates the certificate which is another object. The certificate will contain the CRS issuer's public key and part of the informations, the all signed with CA private key. — Siri, Jun 13 '20 at 07:46
Dupe https://stackoverflow.com/questions/15216440/does-a-csr-need-to-be-signed-with-the-matching-private-key https://crypto.stackexchange.com/questions/40457/why-is-a-csr-signed-and-which-key-is-used-for-signing https://security.stackexchange.com/questions/109032/why-should-my-certificate-signing-request-be-signed-by-my-private-key — dave_thompson_085, Jun 13 '20 at 08:39

score 2 · Accepted Answer · edited Oct 07 '21 at 10:58

2

The structure of CSR is defined in PKCS #10 that is re-published as RFC 2986

CSR includes, among other things, the public key of the requestor. The CA needs to verify that the requestor does hold the corresponding private key. To ensure the ownership of the private key the requestor signs the CSR's data with it's private key.

When CA receives a CSR, it extracts the public key of the requestor and validates the signature. If validation fais, the CSR is rejected.

The Wikipedia page includes a sample CSR with field-by-field decomposition. The sample is a request for a certificate with RSA public key and is signed using md5WithRSAEncryption algorithm.

edited Oct 07 '21 at 10:58

Community

1
1

answered Jun 13 '20 at 07:23

Pak Uula

2,750
1
8
13

and is the signature encrypted? => privateKeyEncryption(md5WithRSAEncryption(csr)) ? – Siri Jun 13 '20 at 07:42
No. When RSA is used, signing a message is [similar to encryption](https://crypto.stackexchange.com/questions/9896/how-does-rsa-signature-verification-work/9897). When CSR key is based on elliptic curves, [ECDSA](https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm) is used. – Pak Uula Jun 13 '20 at 07:50
So "To ensure the ownership of the private key the requestor signs the CSR's data with it's private key." is not always true? it depends on the public Key type? – Siri Jun 13 '20 at 08:11
Siri: also https://stackoverflow.com/questions/9314102/ https://stackoverflow.com/questions/454048/ https://stackoverflow.com/questions/58663814/ and crossdupes linked at https://security.stackexchange.com/questions/159282/#159289 . Yes, the CSR is always signed, which uses the private key, but is NOT encryption. – dave_thompson_085 Jun 13 '20 at 08:35
1

There are several different digital signature algorithms. They all posess the folowing property: _a digital signature created using specific private key can be verified by the corresponding public key **only**_. Most of digital signature algorithms have nothing to do with encryption. – Pak Uula Jun 13 '20 at 08:39
so md5WithRSAEncryption is based on the private key after all? – Siri Jun 13 '20 at 08:40
1

Yes, it is, but the way it uses the private key is different from RSA encryption. – Pak Uula Jun 13 '20 at 08:46
but is it still the same private key? the first answer here https://security.stackexchange.com/questions/68822/trying-to-understand-rsa-and-its-terminology/68836#answer-68836 says that it is not always the same pair of keys that is used for signing and encrypting? – Siri Jun 13 '20 at 10:01

score 1 · Answer 2 · answered Jun 13 '20 at 22:15

Is the CSR(Certificate Signing Request) containing the public key and the organization details encrypted with the private key?

It is easy to check that it isn't.

1) Create a private key and associated CSR:

openssl req -new -sha256 -newkey rsa:2048 -nodes -keyout example.key -out example.csr

2) I now have 2 files, the private key and the CSR. Let us show the content of the CSR after having deleted the private key, just to make sure it is not needed, and comparing with the private key.

With private key still there:

$ openssl req -noout -text -in example.csr
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:e2:23:3c:4e:d8:39:ce:9a:16:2f:e2:ef:e7:9b:
                    5d:7f:20:a7:9a:4b:dd:54:ad:6b:b3:ff:33:78:65:
                    f2:b1:e1:e3:b5:eb:23:9d:da:b3:8d:3c:2f:1f:60:
                    9a:17:36:df:0f:4e:3a:bd:fb:9f:73:d5:00:c2:65:
                    04:a2:77:e6:5b:27:f2:30:8f:57:31:c8:bf:d1:0a:
                    cc:db:f5:95:8e:98:ff:34:c5:ed:68:57:f8:43:47:
                    41:ff:cb:6d:27:ae:de:33:95:cd:d6:0a:f8:0b:25:
                    27:99:4e:6b:7d:d8:c4:dd:83:97:57:7a:42:69:4c:
                    41:e2:d6:7f:86:d0:6f:1b:c2:30:b2:e7:a9:ee:5b:
                    9d:a1:ce:80:ec:45:a6:ad:a4:6e:b1:6a:b1:68:ef:
                    c4:7d:5b:6c:e5:24:fe:54:f9:bb:09:48:5c:49:ca:
                    fe:41:28:bc:48:e8:02:bf:ac:b0:5b:c6:3f:bb:0e:
                    17:d4:31:02:31:27:b1:a3:7a:ff:82:49:f0:11:10:
                    64:53:44:ca:61:82:fd:3a:82:5c:07:48:23:1f:db:
                    e5:0f:64:79:09:19:25:b4:a5:07:42:d3:b4:54:75:
                    61:13:43:63:34:a2:72:55:07:d6:d1:8c:74:31:cb:
                    5c:54:1e:6a:e7:04:86:35:4c:d9:a4:31:3f:fd:36:
                    9c:59
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         6d:fb:a6:e5:2b:89:5c:ef:5c:ca:cc:d3:9a:3d:b1:c1:41:9d:
         b5:55:ca:2c:17:ca:ea:74:1d:79:b9:16:ec:81:08:95:94:98:
         e1:2b:50:c7:46:eb:d4:97:09:25:cc:da:b4:bd:34:3c:5a:14:
         c8:88:ed:21:99:63:e9:c0:0e:fa:bb:5d:a7:27:11:22:61:a1:
         1f:d3:65:c8:cc:14:ff:d7:ce:19:29:14:67:ed:e5:b8:31:b5:
         25:55:8e:59:42:f1:2a:6d:f9:fe:4a:be:08:b9:23:c5:b6:3b:
         c8:7e:3f:0c:bd:bb:37:f6:fd:5a:0e:50:50:43:8e:59:f7:b6:
         77:06:50:b2:45:2a:17:f4:53:5a:7c:3c:50:6d:de:74:e3:0e:
         df:94:48:bc:a9:fa:b8:a1:9a:3e:dc:10:c8:50:cb:9b:a7:49:
         cc:ac:88:66:54:e6:d3:06:81:95:f4:ac:e1:61:d7:88:18:74:
         e8:8e:d2:8d:e9:71:7f:99:41:b9:b3:a1:ad:af:d6:0b:2f:46:
         8d:fa:c4:29:b4:40:38:fb:80:31:33:5c:62:67:62:dd:62:14:
         36:fe:8f:8d:36:dc:0c:52:7b:0b:46:1c:58:94:2f:84:a9:54:
         b0:a8:78:a0:9d:30:e9:0d:2f:a5:09:7d:3e:4e:75:16:56:f7:
         94:a7:09:8f

Now removing private key:

rm example.key

and decoding the CSR again:

$ openssl req -noout -text -in example.csr
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:e2:23:3c:4e:d8:39:ce:9a:16:2f:e2:ef:e7:9b:
                    5d:7f:20:a7:9a:4b:dd:54:ad:6b:b3:ff:33:78:65:
                    f2:b1:e1:e3:b5:eb:23:9d:da:b3:8d:3c:2f:1f:60:
                    9a:17:36:df:0f:4e:3a:bd:fb:9f:73:d5:00:c2:65:
                    04:a2:77:e6:5b:27:f2:30:8f:57:31:c8:bf:d1:0a:
                    cc:db:f5:95:8e:98:ff:34:c5:ed:68:57:f8:43:47:
                    41:ff:cb:6d:27:ae:de:33:95:cd:d6:0a:f8:0b:25:
                    27:99:4e:6b:7d:d8:c4:dd:83:97:57:7a:42:69:4c:
                    41:e2:d6:7f:86:d0:6f:1b:c2:30:b2:e7:a9:ee:5b:
                    9d:a1:ce:80:ec:45:a6:ad:a4:6e:b1:6a:b1:68:ef:
                    c4:7d:5b:6c:e5:24:fe:54:f9:bb:09:48:5c:49:ca:
                    fe:41:28:bc:48:e8:02:bf:ac:b0:5b:c6:3f:bb:0e:
                    17:d4:31:02:31:27:b1:a3:7a:ff:82:49:f0:11:10:
                    64:53:44:ca:61:82:fd:3a:82:5c:07:48:23:1f:db:
                    e5:0f:64:79:09:19:25:b4:a5:07:42:d3:b4:54:75:
                    61:13:43:63:34:a2:72:55:07:d6:d1:8c:74:31:cb:
                    5c:54:1e:6a:e7:04:86:35:4c:d9:a4:31:3f:fd:36:
                    9c:59
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         6d:fb:a6:e5:2b:89:5c:ef:5c:ca:cc:d3:9a:3d:b1:c1:41:9d:
         b5:55:ca:2c:17:ca:ea:74:1d:79:b9:16:ec:81:08:95:94:98:
         e1:2b:50:c7:46:eb:d4:97:09:25:cc:da:b4:bd:34:3c:5a:14:
         c8:88:ed:21:99:63:e9:c0:0e:fa:bb:5d:a7:27:11:22:61:a1:
         1f:d3:65:c8:cc:14:ff:d7:ce:19:29:14:67:ed:e5:b8:31:b5:
         25:55:8e:59:42:f1:2a:6d:f9:fe:4a:be:08:b9:23:c5:b6:3b:
         c8:7e:3f:0c:bd:bb:37:f6:fd:5a:0e:50:50:43:8e:59:f7:b6:
         77:06:50:b2:45:2a:17:f4:53:5a:7c:3c:50:6d:de:74:e3:0e:
         df:94:48:bc:a9:fa:b8:a1:9a:3e:dc:10:c8:50:cb:9b:a7:49:
         cc:ac:88:66:54:e6:d3:06:81:95:f4:ac:e1:61:d7:88:18:74:
         e8:8e:d2:8d:e9:71:7f:99:41:b9:b3:a1:ad:af:d6:0b:2f:46:
         8d:fa:c4:29:b4:40:38:fb:80:31:33:5c:62:67:62:dd:62:14:
         36:fe:8f:8d:36:dc:0c:52:7b:0b:46:1c:58:94:2f:84:a9:54:
         b0:a8:78:a0:9d:30:e9:0d:2f:a5:09:7d:3e:4e:75:16:56:f7:
         94:a7:09:8f

Conclusion: same results, proving the key is not needed.

Of course:

1) it was trivial to see that immediately, because if the key was needed when decoding the CSR, you would have need to specify it on command line of openssl (it does not poke out randomly at files)

2) it is of course silly to have deleted the private key because now if some certificate is indeed created out of this CSR, it is useless as the attached private key does not exist anymore.

It does not need to technically (for TLS at least, just having the public key is enough for the CA to create the certificate). But if using a CSR, the CSR includes a signature made by the private key. — Patrick Mevzek, Jul 03 '20 at 23:11
oh ok. The question was concerning CSR. So CSR does need the private key. — Siri, Jul 04 '20 at 00:02
"So CSR does need the private key" for its creation, because of the signature. Not later to read it. It is public data. — Patrick Mevzek, Jul 04 '20 at 16:43

Is the CSR encrypted withe the private key?

2 Answers2