为什么我必须从私钥创建证书请求 (CSR)? [英] Why do I have to create a certificate request (CSR) from the private key?
问题描述
我正在尝试通过以下方法创建证书请求 (CSR),我需要在其中提供私钥,我的理解是 CSR 只需要/包含公钥信息以及有关请求者的其他详细信息,例如公司名称等.但是如果在创建 CSR 时提取公钥并通过它会抛出以下错误,所以我想知道为什么它需要私钥,尽管我知道私钥也包含公钥,难道仅仅是因为公钥当密钥与密钥对或其他形式的私钥一起使用时,密钥是可信的吗?
I am trying to create a Certificate Request (CSR) from the below method where I need to give the private key, my understanding is that CSR needs/contains only the public key information with the other details about the requestor like Company Name, etc. But if extract the public key and pass while creating the CSR it throws the below error, So I am wondering why it requires a private key , although I understand private key contains the public key as well , Is it just because the public key is trusted when it's with the private key in the form of key-pair or something else ?
openssl genrsa -out ~/domain.com.ssl/domain.com.key 2048
openssl req -new -sha256 -key ~/domain.com.ssl/domain.com.key -out ~/domain.com.ssl/domain.com.csr
尝试使用公钥生成:
openssl rsa -in domain.com.key.pem -pubout domain.publickey
openssl req -new -sha256 -key domain.publickey -out cert.csr
unable to load Private Key
140258108909384:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: ANY PRIVATE KEY
推荐答案
证书的全部意义在于建立私钥和你之间的关系,作为证书中的身份.
The whole point of the certificate is to establish a relationship between the private key and you as the identity in the certificate.
- CSR 由私钥签名并由 CA 验证(使用 CSR 中的公钥),因此他知道您拥有该密钥对.
- 所以他离线验证你就是你所说的那个人,拥有那个域等等,然后他用他的私钥签名.
- 因此,如果第三方信任他,他就可以信任证书所说的内容,即证书的所有者就是它所说的人.
- 然后,如果他可以使用您的私钥通过 SSL 握手中的另一个签名确定他正在与之交谈的对等方拥有该证书,则他知道对等方就是您.
- The CSR is signed by the private key and verified by the CA (with the public key in the CSR), so he knows you have that key pair.
- So he verifies offline that you are who you say you are, own that domain, etc., then he signs it with his private key.
- So then if a third party trusts him, he can trust what the certificate says, which is that its owner is who it says.
- Then if he can establish that the peer he is talking to owns that certificate, via another signature in the SSL handshake using your private key, he knows that the peer is you.
这篇关于为什么我必须从私钥创建证书请求 (CSR)?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
