I have downloaded a CSR from Azure Key Vault and wanted to recreate that CSR with openSSL commands. Reason is we might want to create that CSR from scripts without having an Azure KeyVault.
My context:
openssl req -text -noout -verify -in csr.csrOpenSSL And made sure all the subject information and Requested Extensions are the same as the KeyVault one.When inspecting the newly created CSR (using above command) and the one generated by Azure KeyVault, they are identical (e.g. same modulus, same request extensions, same subject) except for the signature.
My question:
Are there components in a CSR that are not inspected using above command that can explain why the signatures are different while the rest is the same? Or is it because it is generated on a different machine? Or can it be they (KeyVault and OpenSSL) used different algorithms for sha256WithRSAEncryption which is not viewable with above inspection command? I'm trying to understand.
Version: 1 (0x0)
Subject: <<obf>>
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
<<obf>>
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:<<obf>>
X509v3 Basic Constraints:
CA:FALSE
Signature Algorithm: sha256WithRSAEncryption
<<obf>>
Answering 'Are there components in a CSR that are not inspected using above command that can explain why the signatures are different while the rest is the same?' There might be different padding schemes, or sequence of some fields.
To fully inspect binary/PEM encoded PKCS#10 CSR data use openssl asn1parse -i -in csr.csr on both CSRs. This will show not only show difference between some fields but will show full structure which might affect final signature.