为什么在创建 CSR 时使用私钥? [英] Why private key is used amidst creation of CSR?

问题描述

CSR 主要用于创建具有可信公钥的证书.

A CSR is mainly created to create a certificate having trusted public key.

在创建 CSR 之前，

Before creating a CSR,

我们创建一个私钥

openssl genrsa -out key.pem 1024

然后使用该私钥 (key.pem) 创建 CSR(req.pem) 请求.

and then use that private key(key.pem) to create a CSR(req.pem) request.

openssl req -new -key key.pem -out req.pem

<小时>

我看到一个 docker 引擎安装了根证书、服务器证书和私有与 CSR 一起使用

I see that a docker engine is installed with root certificate, server certificate & private used with CSR

在提交 CSR 时提供私钥(key.pem 作为输入)的确切目的是什么?因为证书应该使用父私钥签名

What is the exact purpose of providing private key(key.pem as input) amidst submitting CSR? Because certificate is supposed to be signed with parent private key

在创建 CSR 时是否需要私钥(key.pem)来生成相应的公钥?

Is private key(key.pem) required to generate corresponding public key amidst CSR creation?

或

是否使用私钥(key.pem)加密 CSR 并将生成的签名附加到 CSR 中?

Is private key(key.pem) used to encrypt the CSR and the resulting signature is appended to CSR?

推荐答案

PKCS#10 认证请求的结构 (RFC 2986) 是，松散的描述:

The structure of a PKCS#10 certification request (RFC 2986) is, loosely described:

Request:
    Info:
        Version
        Name
        PublicKey
        Attributes
    SignatureAlgorithmIdentifier
    Signature

属性是请求的属性，如果它们可能是您为生成的证书请求的属性.

The attributes are attributes for the request, where one if them could be attributes you are requesting for the resulting certificate.

CA 可以选择尽可能多地或尽可能少地尊重 CSR.例如，StartSSL 只读取公钥信息，而丢弃了 CSR 的其余部分——他们需要的其他一切都基于您从他们的 Web UI 和您的帐户状态发出的请求.

The CA can respect as much, or as little, from the CSR as it chooses. StartSSL, for example, only read out the public key information, and discarded the remainder of the CSR -- everything else they needed was based on your request from their web UI and your account status.

一般来说，CA 不会忽略公钥值，因为如果他们为您声明了一个新的密钥对，他们需要弄清楚您应该如何获得私钥.因此，公钥部分需要存在且正确.OpenSSL 的命令可以通过读取私钥得到公钥值，然后将其嵌入到 CSR 中.

In general, the CA isn't going to ignore the public key value, because if they asserted a new keypair for you they'd need to figure out how you were supposed to get the private key. So, the public key part needs to be present and correct. OpenSSL's command can get the public key value by reading the private key, then it can embed it in the CSR.

您需要私钥的第二个原因是签署请求.我会断言请求签名的主要原因是强制/强烈建议您在此阶段保存私钥，因此您不会在几分钟后返回请撤销此新证书，我已经丢失了私钥"要求.RFC(也)有这样的说法:

The second reason you need the private key is to sign the request. I'll assert that the main reason the request is signed is to force/strongly-suggest you save the private key at this stage, so you don't come back in a few minutes with a "please revoke this new certificate, I already lost the private key" request. The RFC (also) has this to say:

注 2 - 认证请求上的签名可防止实体请求使用另一方的公钥的证书.这样的攻击将赋予实体假装的轻微能力是由另一方签署的任何消息的发起者.这仅当实体不知道消息时，攻击才有意义被签名并且消息的签名部分不能识别签名者.该实体仍然无法解密消息当然是为对方准备的.

Note 2 - The signature on the certification request prevents an entity from requesting a certificate with another party's public key. Such an attack would give the entity the minor ability to pretend to be the originator of any message signed by the other party. This attack is significant only if the entity does not know the message being signed and the signed part of the message does not identify the signer. The entity would still not be able to decrypt messages intended for the other party, of course.

这篇关于为什么在创建 CSR 时使用私钥?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！