Re: CSR with only public key

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

If a CA signs a certificate without proof of possession of the private key, the CA is enabling whoever does have that private key to look as though they are the one who they sign the certificate for (i.e., impersonation).  The entire structure of PKI (the binding of the public half of a keypair to some external identity) depends on this not happening.

More importantly, in the situation where the person submitting the unsigned request can't prove possession, they know it is a situation where either the private key is lost (and the certificate would be useless anyway) or that impersonation is simply guaranteed.

There might be a scenario desired where the generation of the CSR isn't done by the holder of the private key internal to a company (perhaps because the holder of the private key is otherwise extremely busy), but because there's no way to tell if that limited scenario is different from the other scenarios based on available evidence, publicly trusted CAs are required (by rules of the CABF) to reject non-proof-of-possession scenarios entirely.

To answer your question, yes the error is because the request wasn't signed with the private key.  As such, it's not a complete request, and doesn't match the expected ASN.1 structure.

-Kyle H


On Thu, Sep 12, 2019, 02:47 Bharathi Prasad <barati.j.prasad@xxxxxxxxx> wrote:
Hi,
I have the public key of the client but not the private key. I am required
to generate a CSR with only public key. I understand private key is required
for Proof of Possession. However, as per my requirement I am supposed to
create CSR only with public key and my CA would create a certificate.

I was able to create a CSR with CX509CertificateRequestCertificate and
CX509Enrollment classes using the available public key. When I try to read
the contents the of CSR in openssl (i used this command: openssl req -in
client.csr -noout -text) i get "unable to load X509 request".

Is this happening because the CSR does not contain the signature of private
key or the CSR is faulty.

Kindly help me.

Regards,
Bharathi



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux