Difference between revisions of "CSR - Certificate Signing Request"
Jump to navigation
Jump to search
(Created page with "https://security.stackexchange.com/questions/155865/is-the-csr-and-public-key-the-exact-same-thing#:~:text=No%2C%20they%20are%20not%20the,a%20form%20you%20fill%20out. https:/...") |
|||
| Line 1: | Line 1: | ||
https://security.stackexchange.com/questions/155865/is-the-csr-and-public-key-the-exact-same-thing#:~:text=No%2C%20they%20are%20not%20the,a%20form%20you%20fill%20out. | https://security.stackexchange.com/questions/155865/is-the-csr-and-public-key-the-exact-same-thing#:~:text=No%2C%20they%20are%20not%20the,a%20form%20you%20fill%20out. | ||
| + | |||
| + | Is the CSR and public key the exact same thing? | ||
| + | ``` | ||
| + | No, they are not the same. A public key is actually one member of a "key pair", consisting of both a public key and the matching private key. The CSR is a Certificate Signing Request, which is just a form you fill out. | ||
| + | |||
| + | When creating a CSR, you attach your public key to it and fill in other needed data; you then send it to a Certificate Authority (CA). The CA takes the data from your form, and if you pass all their validation tests (i.e. your credit card is charged), they use the data from your CSR to create a certificate, and then they sign your new certificate with their "root" certificate. This gives the rest of the world assurance that the public key found on the certificate is actually associated with you. | ||
| + | |||
| + | Normally, nobody but the CA needs a CSR. | ||
| + | |||
| + | In your case, it sounds like you're stuck in the middle of someone else's process that hasn't been described adequately. If this "HPKP backup key generation" (whatever that is) is creating a public/private key pair, they may be asking for a "blank" CSR to use as a template to request a new certificate every time they generate a new backup key. (Really, they probably just need the data fields you want on the certificates.) But that CSR is always incomplete because the public keys haven't yet been generated. | ||
| + | |||
| + | You probably need to sit down with both the certificate people and the HPKP people, and figure out who actually needs what. | ||
| + | ``` | ||
https://en.wikipedia.org/wiki/Certificate_signing_request | https://en.wikipedia.org/wiki/Certificate_signing_request | ||
https://www.godaddy.com/help/nginx-generate-csrs-certificate-signing-requests-3601 | https://www.godaddy.com/help/nginx-generate-csrs-certificate-signing-requests-3601 | ||
Latest revision as of 16:16, 5 January 2023
Is the CSR and public key the exact same thing?
No, they are not the same. A public key is actually one member of a "key pair", consisting of both a public key and the matching private key. The CSR is a Certificate Signing Request, which is just a form you fill out. When creating a CSR, you attach your public key to it and fill in other needed data; you then send it to a Certificate Authority (CA). The CA takes the data from your form, and if you pass all their validation tests (i.e. your credit card is charged), they use the data from your CSR to create a certificate, and then they sign your new certificate with their "root" certificate. This gives the rest of the world assurance that the public key found on the certificate is actually associated with you. Normally, nobody but the CA needs a CSR. In your case, it sounds like you're stuck in the middle of someone else's process that hasn't been described adequately. If this "HPKP backup key generation" (whatever that is) is creating a public/private key pair, they may be asking for a "blank" CSR to use as a template to request a new certificate every time they generate a new backup key. (Really, they probably just need the data fields you want on the certificates.) But that CSR is always incomplete because the public keys haven't yet been generated. You probably need to sit down with both the certificate people and the HPKP people, and figure out who actually needs what.
https://en.wikipedia.org/wiki/Certificate_signing_request
https://www.godaddy.com/help/nginx-generate-csrs-certificate-signing-requests-3601