如何从密钥对和现有密钥对的公共密钥创建证书服务请求(CSR)(假设私有密钥位于其他位置的安全位置)? [英] How can I create a Certificate Service Request (CSR) from and existing public key of a key pair (assume the private key is in a safe spot elsewhere)?
问题描述
我正在使用OpenSSL. openSSL的所有参考都集中在以下两个创建CSR的命令上:一个要求您输入一个已经存在的私钥(并导出公钥???),第二个将创建一个新的密钥对.我想使用我的公钥而不创建新的公钥.
I'm using OpenSSL. All references of openSSL focus on the following two commands to create a CSR; One require you to input an already existing private key (and derives the public key???) and the second will create a new key pair. I want to use MY public key not create a new one.
创建CSR和私钥:
openssl req -newkey rsa:2048 -keyout my.key -out my.csr
从现有私钥创建CSR:
Create a CSR from an existing private key:
openssl req -key my.key -out my.csr
对于第一个选项,我不明白为什么在命令中需要私钥作为参数.我看到很多网站都说CSR是加密的,但这似乎并非如此.如果您将CSR放入CSR解码器中(即 http://www.sslshopper.com/csr-解码器.html ),然后可以对其进行解析;因此,我唯一的结论是,仅对其进行了编码而未加密.
For the first option i don't see why you need the private key as a parameter in the command. I see a lot of websites saying that the CSR is encrypted, but that does not seem to be true. If you drop a CSR into a CSR decoder (ie http://www.sslshopper.com/csr-decoder.html) then it can be parsed; thus my only conclusion is that it is only encoded NOT encrypted.
为什么私钥输入到这些命令中?私钥如何使用?如果它正在加密某些东西,那么它在加密什么?
Why is the private key inputted into these commands? How is the private key even utilized? If it is encrypting something, what is it encrypting?
如果不使用它,有人可以告诉我如何仅使用我的密钥对的公共密钥来创建CSR吗?
If it is not used, can someone please tell me how to create a CSR with just the public key of my key pair?
预先感谢
推荐答案
使用私钥对CSR进行签名,以防止篡改向CA的传输.因此,您需要私钥来创建一个.
CSRs are signed using the private key to prevent tampering in transit to the CA. Accordingly, you need the private key to create one.
可以创建没有签名的CSR,但是这种构造并不常见,openssl二进制文件本身也没有创建它们的规定.
It is possible to create a CSR that has no signature, but such constructions are not common and the openssl binary itself has no provisions for creating them.
使用您首先列出的openssl命令生成新的CSR +密钥对时,它不是对CSR进行加密(因为这不是理想的行为.CSR是您提交的公共数据,不是秘密信息),而是私有的键.
When generating a new CSR+key pair using the openssl command you listed first it is not encrypting the CSR (as that's not a desirable behavior. The CSR is the public data you submit, not secret information), but rather the private key.
这篇关于如何从密钥对和现有密钥对的公共密钥创建证书服务请求(CSR)(假设私有密钥位于其他位置的安全位置)?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
