6

So I have been doing my research and haven't found anything specific enough to my problem. As the question title states, I want to make a CSR with only the public key. What I have been able to do is generate a CSR with the information of my choosing along with a new keypair. And then use something like this to force it to use the public key I want when making the certificate.

openssl x509 -req -in mycsr.pem -force_pubkey mypubkey.pem -CA dumyCA.pem -CAkey -dumyCA.pem -out mycert.pem

After this I take the outputted certificate and change its attributes to associate it with a private key. This all works nicely. The problem with this is that if I were to take the said csr, and submit it to a CA they would return to me a certificate that used the key that was generated when the csr is generate. Thus my question.

EDIT: So I have a key-pair, but my private key is on an HSM module that doesn't have export capabilities. I am able to get a .pem file of the public key. And after making the certificate with the command I gave I run it through a program that associates it with the private key. So my new question is, using openssl API will I be able to create my own csr? So I can sign it with the private key without having to have it in a file, and associate it with the public key I have.

embasa
  • 106
  • 1
  • 1
  • 5
  • For sake of anyone else who tries to parse this question. -force_pubkey key option: when a certificate is created set its public key to key instead of the key in the certificate or certificate request. This option is useful for creating certificates where the algorithm can't normally sign requests, for example DH. – kubanczyk Mar 03 '16 at 09:40
  • 3
    What you asked is impossible because `csr` must be signed with the private key. – Cthulhu Mar 03 '16 at 09:51
  • Sorry for late reply. If I have a different certificate with the corresponding key that the csr will require, can I sign it with that? – embasa Mar 03 '16 at 19:09
  • From the comments here and on the answer, it is unclear what you are asking for. Please edit the question to clarify what you really want. A "CSR with only the public key" is the public key itself. And no CSR can be made without signing the content, which requires access to the private key (that's the whole point of it, to avoid CSR forging - plus that is how asymmetric cryptography works). – M'vy Mar 04 '16 at 08:52
  • I came across the same problem. @Cthulhu that's fair enough. Thanks for pointing out. – qweruiop Sep 15 '17 at 03:26
  • One other clarification. You only need to access the Private Key, you don't need to export it. The CSR does not include a private key, only a signature generated +using+ the private key. The CA will verify that the signature agrees with the supplied CSR, which indicates that you had access to the Private Key for which the CSR was issued. – rip... Dec 02 '19 at 00:51

2 Answers2

4

The Certificate Signing Request, as generated by the command :

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

will include your public key. This is mandatory as per the PKI process. The CSR, containing your entity information and the public key is sent to any Certificate Authority you like for a request of certificate (hence the CSR name). The CSR is signed using the private key that is linked to the embedded public key.

The CA, after assessing your identity, will basically sign the CSR to create a valid certificate for you. This is the certificate you will send to clients, e.g. when they connect to your website.

The private key in your privateKey.key file will be used by your webserver to decrypt messages sent to it. This private key should never, ever leave the server.

You can check the most common openSSL commands for more information.

Kevin
  • 103
  • 4
M'vy
  • 13,053
  • 3
  • 48
  • 69
  • I know this, and I read through that entire link you posted before asking. I am looking for a not-so-common way. Maybe using openssl API in c or something. – embasa Mar 03 '16 at 22:11
0

Unfortunately, a means of using the private key is actually required for creating a certificate signing request. As you are talking about a HSM, this is usually available as a OpenSSL engine.

For example, Yubico has documentation about creating a certificate request for a key that is protected by a Yubikey.

In essence you have to call openssl req like this:

openssl req -new ... -config ssl.conf -engine engine_name -keyform engine -key key_name

You need to create a ssl.conf configuration file which is a mess (at least for PKCS#11), something like

openssl_conf = openssl_init

[openssl_init]
engines = engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
dynamic_path = /usr/lib/ssl/engines/libpkcs11.so
MODULE_PATH = /usr/lib/opensc-pkcs11.so

And you have to figure out how specify key_name for the specific engine. If you don't have a OpenSSL engine for your HSM module, you are in bad luck. :-(

Bluehorn
  • 101
  • 1
  • Or, the HSM provides +it's own method+ for generating a CSR from a private key, with the assumption that you have access rights +for+ that key. Read the docs for your HSM. Accessing an HSM via OpenSSL is probably possible, the same way that taking a taxi from your house, around the block to your house, to pick up your car from your house is perfectly possible... – rip... Dec 02 '19 at 00:41