在证书签名请求(CSR)中使用公钥 [英] Use of Public key in the certificate signing request ( CSR )

问题描述

在我们的服务器上创建CSR时将生成公钥和私钥对.我们将通过持有我们的私钥将CSR和公钥发送给CA.在使用CA的根证书的私钥进行签名之前，CA会先验证我们的公钥.我们有自己的CA团队来认证CSR请求.我的查询如下:

Public and private-key pair will be generated during the creation of CSR on our server. We will send the CSR and public key to CA by holding private key with us. CA will validate our public key before signing it with private key of CA's root certificate. We are having our own CA team to certify the CSR requests. My queries are as follows:

1. CSR本身会包含公钥吗?还是需要向CA分别提供公钥?
2. 在将CSR发送到CA之前，将其用我们的公钥签名吗?(或)除此以外，CSR还应持有公钥?
3. CA是否仅通过CSR(或)对CSR +公钥的组合集进行签名??
4. 我们是否应该在客户端和服务器端的信任库中安装CA的根证书和中间证书?因为我们使用的是自己的CA，而不是全局CA.
5. 当我们向客户端提供服务器证书时，该证书将包括服务器的公钥吗??
6. 出于加密目的，我们是否应该在客户端的信任库中安装服务器的公钥?

感谢您的帮助.

推荐答案

CSR本身将包含公钥吗?还是需要向CA分别提供公钥?

Will CSR itself includes public key or do we need to provide public key separately to CA ?

公钥位于CSR内部

在将CSR发送到CA之前，将其用我们的公钥签名吗?(或)除此以外，CSR还应持有公钥?

Will CSR be signed by our public key before sending it to CA (or) CSR hold public key besides it?

CSR由您的密钥签名.公钥是不够的，但需要私钥进行签名.

The CSR is signed by your key. The public key is not enough but the private is needed for signing.

CA是否仅通过CSR(或)对CSR +公钥的组合集进行签名??

Will CA sign over only over CSR (or) on the combined set of CSR + public key.?

CA将从CSR中提取包括公钥在内的信息并签名.它不会签署CSR本身.

The CA will extract the information from the CSR including the public key and sign it. It will not sign the CSR itself.

我们是否应该在客户端和服务器端的信任库中安装CA的根证书和中间证书?因为我们使用的是自己的CA，而不是全局CA.

Should we install CA's root and intermediate certs in our trust store both on the client and server side? since we are using our own CA instead of Global CA.

仅根需要作为信任锚存储在客户端.服务器应在SSL握手中将中间证书与服务器证书一起发送.

Only the root needs to be stored at the client as trust anchor. The intermediate certs should be send by the server together with the servers certificate inside the SSL handshake.

当我们向客户端提供服务器证书时，该证书将包括服务器的公钥吗??

When we are presenting server certificate to client, will that cert includes public key of server.?

是的，证书是公钥和其他信息，例如主题(主机名).

Yes, a certificate is the public key and additional information like subject (hostname).

出于加密目的，我们是否应该在客户端的信任库中安装服务器的公钥?

Should we install the server's public key in the truststore of clients for encryption purpose?

不.客户端将在SSL握手期间获取证书.如果您使用证书固定.

No. The client will get the certificate during the SSL handshake. You only want to know about the servers certificate or public key before doing the handshake if you use certificate pinning.

这篇关于在证书签名请求(CSR)中使用公钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！