Why do I have to create a certificate request (CSR) from a private key?
What is a CSR file?
Guidelines for generating SSL certificate request files (CSR)
What is CSR? What are public and private keys?
Where is the public key in CSR?
What the hell are openssl, x509, crt, cer, key, csr, ssl and tls?
How to create a. pem file for SSL certificate installation
OpenSSL generates the root certificate CA and issues sub-certificates.
CSR certificate signing request, that is, the request of the applicant to apply for a digitally signed certificate by sending the public key to the certificate authority CA. The file sent is called CSR file.
In a public key infrastructure (PKI) system, a certificate signing request (also called CSR or authentication request) is a message sent from the applicant to the registration authority of the PKI in order to apply for a digital identity certificate.
With the digital signature certificate, we can prove that we are credible and CA will endorse it.
To apply for a data certificate from CA, the applicant must first generate a pair of public keys and private keys by himself. The applicant keeps the private key, and then sends the public key and the applicant information to the CA, and the CA issues the digital certificate through this public key and the applicant information.
A CSR file is a data file containing the applicant's public key and information. The applicant generates this CSR file and sends it to CA, and CA will issue a digital certificate according to the contents in the CSR file.
There are many ways to generate CSR files, and OpenSSL is commonly used.
You can also generate CSR online through CA (not recommended because the key pair is public).
Using RSA algorithm, the private.key is output to the file.
Generate the CSR file server.csr using the private key private.key.
You need to fill in the applicant information here. It should be noted that the common name here should be filled in as the domain name or host name using SSL certificate (namely: HTTPS protocol), otherwise the browser will think it is unsafe. For example, if you plan to use /xxx in the future, please fill in dummy.example.com here.
After completing the above two steps, the public key will appear in both the server.csr and private.key files.
We submit CSR documents to CA to apply for certificates. After CA verifies the identity of the applicant, we use CA's private key to sign and generate a certificate.
The workflow of CA signature algorithm is roughly as follows: Generally, a hash value is obtained by hashing information, which is irreversible, that is, the original information content cannot be obtained by hash value. When sending information, encrypt the hash value with CA private key and send it as a signature with the information.
A CA has its own certificate crt file, and this CA's own certificate (which proves that it is credible) is issued to it by a higher-level CA.
After receiving the certificate file, the applicant will convert the certificate public key and private key files into files in the format corresponding to the server and deploy them on the HTTP server, so that our website can be trusted.
In the future, anyone will get this certificate from the server, not the public key. You need to obtain the public key of the CA (the issuing authority of the certificate) to decrypt the signature of the certificate. If the decryption is successful and the hashes match, it means that there is no problem with the public key attached to this certificate.
OpenSSL heart bleeding heart bleeding vulnerability