What do CAs (Certificate Authority) deliver from CSR?

Question

I need an SSL certificate for a web server. I can generate a self-signed SSL certificate with the following OpenSSL commands:

openssl req -newkey rsa:512 -x509 -days 365 -nodes -out cert.pem -keyout cert.pem
openssl dhparam -inform pem -in cert.pem -outform pem -out dhparam.pem 512
cat dhparam.pem >> cert.pem 

If I want to have a CA-signed certificate, I can generate a CSR (Certificate Signing Request) :

openssl req -newkey rsa:512  -nodes -out cert.csr -keyout cert.key

And send it to one CA. And then ? I'm wondering what the CA is sending back : only the certificate, or the certificate and the DH parameters since they are used in the negotiation between the browser and the server ?

Answer 1

The Certificate Authority usually just takes the public key in the CSR and puts it in a certificate that with its own DH parameters.

Answer 2

Actually, openssl req is enough to generate a self-signed certificate. The DH parameters are not needed to work with an SSL certificate - or they can be found in the certificate generated by the CA.

So the CA will only send back a certificate file (e.g. a .crt file) which has to be used along with the private key.

Answer 3

CA usually will send back .PEM file which is signed using CA private key