sslprivate-keypublic-keycacsr

certificate signing request: Does it contain public key or private key?


I am trying to demystify how CSR is generated, and role of the public and private key.

Server1:

Now, I want CSR and for that, I will go to a CA for signing.

For creating a CSR request, is it based on server's public key or private key?

I referred to this SO question; in there, it says the server (which is requesting for CSR) itself signs CSR by its private key, before sending it to CA.

I am bit confused, have the following questions:


Solution

  • The end product (the signed certificate by CA): Does it contain server's private key or public key?

    The certificate is a public document. It therefore can only contain the public key. If it contained the private key, then that key wouldn't be private any more.

    While initiating a CSR request, why a server needs to sign a CSR by its private key? Is it correct?

    Yes, it is generally correct. This concept is called Proof of Possession (PoPo) and it used to prove to the CA that you (or the server in this case) have the private key corresponding to the public key which will be signed by the CA (or at least had it at the time just before the CA signed your certificate). If the CA didn't insist on PoPo then you could repudiate any signed future message as follows:

    1. You have your public key signed by the CA to create your certificate. At the time, you sign your request with your private key as you should. Everything is good.
    2. I come along and copy your public key from your certificate. I now present that to the CA as a CSR but without PoPo. The CA signs it and sends me a certificate, which now contains my name and your public key.
    3. At some point, you send a digitally signed (with your private key) message to a third party, say your bank, asking them to donate $1000 to Stack Overflow.
    4. You later decide that the $1000 would be better spent on a vacation, so you dispute the signed message to your bank.
    5. The bank says But you digitally signed the message to authenticate it!!
    6. As you know the CA signs certificates without PoPo, you simply have to say that I must have sent the message instead, using your private key which I've now destroyed in an attempt to hide the evidence.
    7. The bank cannot prove that (6) isn't true as they didn't check I had possession of the private key corresponding to the public key in my request, and therefore your statement of it wasn't me cannot be rejected - the bank has to reimburse you.

    If the bank insisted on PoPo when I submitted your public key to the CA, my request would have failed and you could not repudiate your message later. But once a CA signs a request without PoPo - all bets are off for non-repudiation.

    Eventually, does CA generate a certificate from CSR and how it derives the public key of the server from CSR?

    There is no derivation to do - your server's public key is in the request in a construct called a CertificateRequestInfo.

    This CertificateRequestInfo contains your (or server's) name and the public key. It can also contain other elements such as requested extensions. The CA takes whatever information it requires from this CertificateRequestInfo (only the public key is mandatory) and uses the info to generate a construct called a tbsCertificate (the 'tbs' stands for To Be Signed). This construct contains your name, your public key and whatever extensions the CA deems fit. It then signs this tbsCertificate to create your certificate.