Does a CSR need to be signed with the matching private key?

StackOverflow https://stackoverflow.com/questions/15216440

  •  18-03-2022
  •  | 
  •  

Question

When generate a CSR using OpenSSL you have two options: 1) Generate a Private key when the CSR is generated 2) Use the private key to derive a public key and use the public key to create the CSR

Does the CSR need to be signed with the matching private key for the CA to validate it?

Hypothetically, what if i have TWO key pairs (PubKey1, PrivKey1, PubKey2, PrivKey2). First thing i do is move PrivKey1 to another place. Is there a way where I can use PubKey1 to make the CSR (Without access to PrivKey1), but sign it with PrivKey2 to preserve integrity?

Can someone explain why this scenario will not work for the CA?

I've been googling a bunch and the documentation available does not go into any detail as to the Private Key's role in the creation of a CSR.

Was it helpful?

Solution

Does the CSR need to be signed with the matching private key for the CA to validate it?

Yes. A PKCS #10 certificate request is always signed with the private key that matches the public key.

Is there a way where I can use PubKey1 to make the CSR (Without access to PrivKey1), but sign it with PrivKey2 to preserve integrity?

No. The reason the private key signs the CSR is to demonstrate to the CA that you have ownership of the private key that corresponds to the public key. If you sign with a different private key, the CA will reject your request as invalid.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top