为什么必须从私钥创建证书请求(CSR)? [英] Why do I have to create a certificate request (CSR) from the private key?
问题描述
我正在尝试通过以下方法创建证书请求(CSR),在该方法中我需要提供私钥,我的理解是CSR仅需要/包含公钥信息以及有关请求者的其他详细信息(例如公司名称)但是,如果提取公钥并在创建CSR时通过,则会引发以下错误,所以我想知道为什么它需要私钥,尽管我知道私钥也包含公钥,这仅仅是因为公钥吗?密钥与密钥对或其他形式的私钥一起使用时是否受信任?
I am trying to create a Certificate Request (CSR) from the below method where I need to give the private key, my understanding is that CSR needs/contains only the public key information with the other details about the requestor like Company Name, etc. But if extract the public key and pass while creating the CSR it throws the below error, So I am wondering why it requires a private key , although I understand private key contains the public key as well , Is it just because the public key is trusted when it's with the private key in the form of key-pair or something else ?
openssl genrsa -out ~/domain.com.ssl/domain.com.key 2048
openssl req -new -sha256 -key ~/domain.com.ssl/domain.com.key -out ~/domain.com.ssl/domain.com.csr
尝试使用公钥生成:
openssl rsa -in domain.com.key.pem -pubout domain.publickey
openssl req -new -sha256 -key domain.publickey -out cert.csr
unable to load Private Key
140258108909384:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: ANY PRIVATE KEY
推荐答案
证书的重点是在私钥和您之间建立关系,作为证书中的身份.
The whole point of the certificate is to establish a relationship between the private key and you as the identity in the certificate.
- CSR由私钥签名并由CA验证(在CSR中带有公钥),因此他知道您拥有该密钥对.
- 因此他离线验证了您的身份,拥有该域等,然后 he 用他的私钥对其进行了签名.
- 因此,如果第三方信任他,那么他可以信任证书的内容,即证书的所有者.
- 然后,如果他可以使用您的私钥通过SSL握手中的另一个签名确定正在与之交谈的对等方拥有该证书,则他知道该对等方是您.
- The CSR is signed by the private key and verified by the CA (with the public key in the CSR), so he knows you have that key pair.
- So he verifies offline that you are who you say you are, own that domain, etc., then he signs it with his private key.
- So then if a third party trusts him, he can trust what the certificate says, which is that its owner is who it says.
- Then if he can establish that the peer he is talking to owns that certificate, via another signature in the SSL handshake using your private key, he knows that the peer is you.
这篇关于为什么必须从私钥创建证书请求(CSR)?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
