Ssl CSR是否用私钥加密?
包含公钥和组织详细信息的CSR(证书签名请求)是否使用私钥加密 -如果是,证书颁发机构如何解密它,因为CSR中的公钥也是加密的Ssl CSR是否用私钥加密?,ssl,openssl,cryptography,ssl-certificate,tls1.2,Ssl,Openssl,Cryptography,Ssl Certificate,Tls1.2,包含公钥和组织详细信息的CSR(证书签名请求)是否使用私钥加密 -如果是,证书颁发机构如何解密它,因为CSR中的公钥也是加密的 -如果没有,CA如何确保CSR发行人拥有私钥?PKCS 10中定义了CSR的结构,并重新发布为 CSR包括请求者的公钥等。CA需要验证请求者是否持有相应的私钥。为了确保私钥的所有权,请求者用私钥对CSR数据进行签名 当CA收到CSR时,它提取请求者的公钥并验证签名。如果验证为fais,则CSR被拒绝 包括具有逐场分解的示例CSR。该示例是一个使用RSA公钥的证书请求,并
-如果没有,CA如何确保CSR发行人拥有私钥?PKCS 10中定义了CSR的结构,并重新发布为 CSR包括请求者的公钥等。CA需要验证请求者是否持有相应的私钥。为了确保私钥的所有权,请求者用私钥对CSR数据进行签名 当CA收到CSR时,它提取请求者的公钥并验证签名。如果验证为fais,则CSR被拒绝 包括具有逐场分解的示例CSR。该示例是一个使用RSA公钥的证书请求,并使用
MD5WithRSAConficationopenssl req -new -sha256 -newkey rsa:2048 -nodes -keyout example.key -out example.csr
$ openssl req -noout -text -in example.csr
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:e2:23:3c:4e:d8:39:ce:9a:16:2f:e2:ef:e7:9b:
5d:7f:20:a7:9a:4b:dd:54:ad:6b:b3:ff:33:78:65:
f2:b1:e1:e3:b5:eb:23:9d:da:b3:8d:3c:2f:1f:60:
9a:17:36:df:0f:4e:3a:bd:fb:9f:73:d5:00:c2:65:
04:a2:77:e6:5b:27:f2:30:8f:57:31:c8:bf:d1:0a:
cc:db:f5:95:8e:98:ff:34:c5:ed:68:57:f8:43:47:
41:ff:cb:6d:27:ae:de:33:95:cd:d6:0a:f8:0b:25:
27:99:4e:6b:7d:d8:c4:dd:83:97:57:7a:42:69:4c:
41:e2:d6:7f:86:d0:6f:1b:c2:30:b2:e7:a9:ee:5b:
9d:a1:ce:80:ec:45:a6:ad:a4:6e:b1:6a:b1:68:ef:
c4:7d:5b:6c:e5:24:fe:54:f9:bb:09:48:5c:49:ca:
fe:41:28:bc:48:e8:02:bf:ac:b0:5b:c6:3f:bb:0e:
17:d4:31:02:31:27:b1:a3:7a:ff:82:49:f0:11:10:
64:53:44:ca:61:82:fd:3a:82:5c:07:48:23:1f:db:
e5:0f:64:79:09:19:25:b4:a5:07:42:d3:b4:54:75:
61:13:43:63:34:a2:72:55:07:d6:d1:8c:74:31:cb:
5c:54:1e:6a:e7:04:86:35:4c:d9:a4:31:3f:fd:36:
9c:59
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
6d:fb:a6:e5:2b:89:5c:ef:5c:ca:cc:d3:9a:3d:b1:c1:41:9d:
b5:55:ca:2c:17:ca:ea:74:1d:79:b9:16:ec:81:08:95:94:98:
e1:2b:50:c7:46:eb:d4:97:09:25:cc:da:b4:bd:34:3c:5a:14:
c8:88:ed:21:99:63:e9:c0:0e:fa:bb:5d:a7:27:11:22:61:a1:
1f:d3:65:c8:cc:14:ff:d7:ce:19:29:14:67:ed:e5:b8:31:b5:
25:55:8e:59:42:f1:2a:6d:f9:fe:4a:be:08:b9:23:c5:b6:3b:
c8:7e:3f:0c:bd:bb:37:f6:fd:5a:0e:50:50:43:8e:59:f7:b6:
77:06:50:b2:45:2a:17:f4:53:5a:7c:3c:50:6d:de:74:e3:0e:
df:94:48:bc:a9:fa:b8:a1:9a:3e:dc:10:c8:50:cb:9b:a7:49:
cc:ac:88:66:54:e6:d3:06:81:95:f4:ac:e1:61:d7:88:18:74:
e8:8e:d2:8d:e9:71:7f:99:41:b9:b3:a1:ad:af:d6:0b:2f:46:
8d:fa:c4:29:b4:40:38:fb:80:31:33:5c:62:67:62:dd:62:14:
36:fe:8f:8d:36:dc:0c:52:7b:0b:46:1c:58:94:2f:84:a9:54:
b0:a8:78:a0:9d:30:e9:0d:2f:a5:09:7d:3e:4e:75:16:56:f7:
94:a7:09:8f
rm example.key
$ openssl req -noout -text -in example.csr
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:e2:23:3c:4e:d8:39:ce:9a:16:2f:e2:ef:e7:9b:
5d:7f:20:a7:9a:4b:dd:54:ad:6b:b3:ff:33:78:65:
f2:b1:e1:e3:b5:eb:23:9d:da:b3:8d:3c:2f:1f:60:
9a:17:36:df:0f:4e:3a:bd:fb:9f:73:d5:00:c2:65:
04:a2:77:e6:5b:27:f2:30:8f:57:31:c8:bf:d1:0a:
cc:db:f5:95:8e:98:ff:34:c5:ed:68:57:f8:43:47:
41:ff:cb:6d:27:ae:de:33:95:cd:d6:0a:f8:0b:25:
27:99:4e:6b:7d:d8:c4:dd:83:97:57:7a:42:69:4c:
41:e2:d6:7f:86:d0:6f:1b:c2:30:b2:e7:a9:ee:5b:
9d:a1:ce:80:ec:45:a6:ad:a4:6e:b1:6a:b1:68:ef:
c4:7d:5b:6c:e5:24:fe:54:f9:bb:09:48:5c:49:ca:
fe:41:28:bc:48:e8:02:bf:ac:b0:5b:c6:3f:bb:0e:
17:d4:31:02:31:27:b1:a3:7a:ff:82:49:f0:11:10:
64:53:44:ca:61:82:fd:3a:82:5c:07:48:23:1f:db:
e5:0f:64:79:09:19:25:b4:a5:07:42:d3:b4:54:75:
61:13:43:63:34:a2:72:55:07:d6:d1:8c:74:31:cb:
5c:54:1e:6a:e7:04:86:35:4c:d9:a4:31:3f:fd:36:
9c:59
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
6d:fb:a6:e5:2b:89:5c:ef:5c:ca:cc:d3:9a:3d:b1:c1:41:9d:
b5:55:ca:2c:17:ca:ea:74:1d:79:b9:16:ec:81:08:95:94:98:
e1:2b:50:c7:46:eb:d4:97:09:25:cc:da:b4:bd:34:3c:5a:14:
c8:88:ed:21:99:63:e9:c0:0e:fa:bb:5d:a7:27:11:22:61:a1:
1f:d3:65:c8:cc:14:ff:d7:ce:19:29:14:67:ed:e5:b8:31:b5:
25:55:8e:59:42:f1:2a:6d:f9:fe:4a:be:08:b9:23:c5:b6:3b:
c8:7e:3f:0c:bd:bb:37:f6:fd:5a:0e:50:50:43:8e:59:f7:b6:
77:06:50:b2:45:2a:17:f4:53:5a:7c:3c:50:6d:de:74:e3:0e:
df:94:48:bc:a9:fa:b8:a1:9a:3e:dc:10:c8:50:cb:9b:a7:49:
cc:ac:88:66:54:e6:d3:06:81:95:f4:ac:e1:61:d7:88:18:74:
e8:8e:d2:8d:e9:71:7f:99:41:b9:b3:a1:ad:af:d6:0b:2f:46:
8d:fa:c4:29:b4:40:38:fb:80:31:33:5c:62:67:62:dd:62:14:
36:fe:8f:8d:36:dc:0c:52:7b:0b:46:1c:58:94:2f:84:a9:54:
b0:a8:78:a0:9d:30:e9:0d:2f:a5:09:7d:3e:4e:75:16:56:f7:
94:a7:09:8f
openssl2) 删除私钥当然是愚蠢的,因为现在如果某个证书确实是由此CSR创建的,那么它就没有用了,因为附加的私钥不再存在。可能是签名的,而不是加密的…@dan1st你是什么意思?它可能是交给的,哈希是加密的。但是,这不会有帮助,因为攻击者可以同时更改两者。签名是创建哈希并使用私钥对其进行加密。@不,CA生成的证书是另一个对象。证书将包含CRS发行人的公钥和部分信息,所有信息均使用CA私钥签名。签名是否加密?=>privateKeyEncryption(MD5WithRSAEcryption(csr))?否。使用RSA时,对消息进行签名是无效的。当CSR密钥基于椭圆曲线时,则使用。因此“为了确保私钥的所有权,请求者使用私钥对CSR数据进行签名。”不总是正确的吗?这取决于公钥类型?有几种不同的数字签名算法。它们都具有以下特性:使用特定私钥创建的数字签名只能通过相应的公钥进行验证。大多数数字签名算法与加密无关。是的,的确如此,但它使用私钥的方式不同于RSA加密。因此,CA如何验证谁颁发了CSR?从技术上讲,它不需要验证(至少对于TLS而言,拥有公钥就足以让CA创建证书)。但是如果使用CSR,CSR包含一个由私钥生成的签名。哦,好的。问题是关于企业社会责任。所以CSR确实需要私钥。“所以CSR确实需要私钥”来创建它,因为签名。不迟看。这是公共数据。