CSR 是否需要使用匹配的私钥进行签名? [英] Does a CSR need to be signed with the matching private key?
问题描述
使用 OpenSSL 生成 CSR 时,您有两个选择:1)生成CSR时生成私钥2) 用私钥导出公钥,用公钥创建CSR
When generate a CSR using OpenSSL you have two options: 1) Generate a Private key when the CSR is generated 2) Use the private key to derive a public key and use the public key to create the CSR
CSR 是否需要使用匹配的私钥进行签名以便 CA 对其进行验证?
Does the CSR need to be signed with the matching private key for the CA to validate it?
假设,如果我有两个密钥对(PubKey1、PrivKey1、PubKey2、PrivKey2)会怎样.我做的第一件事是将 PrivKey1 移动到另一个地方.有没有办法可以使用 PubKey1 制作 CSR(无法访问 PrivKey1),但使用 PrivKey2 对其进行签名以保持完整性?
Hypothetically, what if i have TWO key pairs (PubKey1, PrivKey1, PubKey2, PrivKey2). First thing i do is move PrivKey1 to another place. Is there a way where I can use PubKey1 to make the CSR (Without access to PrivKey1), but sign it with PrivKey2 to preserve integrity?
有人可以解释为什么这种情况对 CA 不起作用吗?
Can someone explain why this scenario will not work for the CA?
我一直在谷歌搜索,可用的文档没有详细说明私钥在创建 CSR 中的作用.
I've been googling a bunch and the documentation available does not go into any detail as to the Private Key's role in the creation of a CSR.
推荐答案
CSR 是否需要使用匹配的私钥进行签名以便 CA 对其进行验证?
Does the CSR need to be signed with the matching private key for the CA to validate it?
是的.PKCS#10 证书请求始终使用与公钥匹配的私钥进行签名.
Yes. A PKCS #10 certificate request is always signed with the private key that matches the public key.
有没有办法可以使用 PubKey1 制作 CSR(无需访问 PrivKey1),但使用 PrivKey2 对其进行签名以保持完整性?
Is there a way where I can use PubKey1 to make the CSR (Without access to PrivKey1), but sign it with PrivKey2 to preserve integrity?
没有.私钥签署 CSR 的原因是向 CA 证明您拥有与公钥对应的私钥的所有权.如果您使用不同的私钥签名,CA 将拒绝您的请求无效.
No. The reason the private key signs the CSR is to demonstrate to the CA that you have ownership of the private key that corresponds to the public key. If you sign with a different private key, the CA will reject your request as invalid.
这篇关于CSR 是否需要使用匹配的私钥进行签名?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
