What do CAs (Certificate Authority) deliver from CSR?
-
20-09-2019 - |
Question
I need an SSL certificate for a web server. I can generate a self-signed SSL certificate with the following OpenSSL commands:
openssl req -newkey rsa:512 -x509 -days 365 -nodes -out cert.pem -keyout cert.pem
openssl dhparam -inform pem -in cert.pem -outform pem -out dhparam.pem 512
cat dhparam.pem >> cert.pem
If I want to have a CA-signed certificate, I can generate a CSR (Certificate Signing Request) :
openssl req -newkey rsa:512 -nodes -out cert.csr -keyout cert.key
And send it to one CA. And then ? I'm wondering what the CA is sending back : only the certificate, or the certificate and the DH parameters since they are used in the negotiation between the browser and the server ?
Solution
The Certificate Authority usually just takes the public key in the CSR and puts it in a certificate that with its own DH parameters.
OTHER TIPS
Actually, openssl req is enough to generate a self-signed certificate. The DH parameters are not needed to work with an SSL certificate - or they can be found in the certificate generated by the CA.
So the CA will only send back a certificate file (e.g. a .crt file) which has to be used along with the private key.
CA usually will send back .PEM file which is signed using CA private key