CSR with only public key

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

CSR with only public key

Bharathi Prasad
Hi,
I have the public key of the client but not the private key. I am required
to generate a CSR with only public key. I understand private key is required
for Proof of Possession. However, as per my requirement I am supposed to
create CSR only with public key and my CA would create a certificate.

I was able to create a CSR with CX509CertificateRequestCertificate and
CX509Enrollment classes using the available public key. When I try to read
the contents the of CSR in openssl (i used this command: openssl req -in
client.csr -noout -text) i get "unable to load X509 request".

Is this happening because the CSR does not contain the signature of private
key or the CSR is faulty.

Kindly help me.

Regards,
Bharathi



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
Reply | Threaded
Open this post in threaded view
|

Re: CSR with only public key

OpenSSL - User mailing list
How could you create the CSR with only public key?

On Sep 12, 2019, at 3:50 PM, Bharathi Prasad <[hidden email]> wrote:

Hi,
I have the public key of the client but not the private key. I am required
to generate a CSR with only public key. I understand private key is required
for Proof of Possession. However, as per my requirement I am supposed to
create CSR only with public key and my CA would create a certificate.

I was able to create a CSR with CX509CertificateRequestCertificate and
CX509Enrollment classes using the available public key. When I try to read
the contents the of CSR in openssl (i used this command: openssl req -in
client.csr -noout -text) i get "unable to load X509 request".

Is this happening because the CSR does not contain the signature of private
key or the CSR is faulty.

Kindly help me.

Regards,
Bharathi



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html


Regards,

Paul Yang


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: CSR with only public key

Bharathi Prasad
I used CX509CertificateRequestCertificate  class to create CSR with only
public key.



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
Reply | Threaded
Open this post in threaded view
|

R: CSR with only public key

Francesco Petruzzi
In reply to this post by OpenSSL - User mailing list

Sign request with a fake private key and hope the client do not require signature verification.

 

Regards

Francesco Petruzzi

 

Da: openssl-users [mailto:[hidden email]] Per conto di Paul Yang via openssl-users
Inviato: giovedì 12 settembre 2019 09:51
A: Bharathi Prasad
Cc: Openssl Users
Oggetto: Re: CSR with only public key

 

How could you create the CSR with only public key?

 

On Sep 12, 2019, at 3:50 PM, Bharathi Prasad <[hidden email]> wrote:

 

Hi,
I have the public key of the client but not the private key. I am required
to generate a CSR with only public key. I understand private key is required
for Proof of Possession. However, as per my requirement I am supposed to
create CSR only with public key and my CA would create a certificate.

I was able to create a CSR with CX509CertificateRequestCertificate and
CX509Enrollment classes using the available public key. When I try to read
the contents the of CSR in openssl (i used this command: openssl req -in
client.csr -noout -text) i get "unable to load X509 request".

Is this happening because the CSR does not contain the signature of private
key or the CSR is faulty.

Kindly help me.

Regards,
Bharathi



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html

 


Regards,

 

Paul Yang

 

Reply | Threaded
Open this post in threaded view
|

Re: CSR with only public key

OpenSSL - User mailing list
Dare any CA proceed to sign a CSR without verifying the signature…

Maybe there are scenarios we are not aware about...

On Sep 12, 2019, at 4:41 PM, Francesco Petruzzi <[hidden email]> wrote:

Sign request with a fake private key and hope the client do not require signature verification.
 
Regards
Francesco Petruzzi
 
Da: openssl-users [[hidden email]] Per conto di Paul Yang via openssl-users
Inviato: giovedì 12 settembre 2019 09:51
A: Bharathi Prasad
Cc: Openssl Users
Oggetto: Re: CSR with only public key
 
How could you create the CSR with only public key?

 

On Sep 12, 2019, at 3:50 PM, Bharathi Prasad <[hidden email]> wrote:
 
Hi,
I have the public key of the client but not the private key. I am required
to generate a CSR with only public key. I understand private key is required
for Proof of Possession. However, as per my requirement I am supposed to
create CSR only with public key and my CA would create a certificate. 

I was able to create a CSR with CX509CertificateRequestCertificate and
CX509Enrollment classes using the available public key. When I try to read
the contents the of CSR in openssl (i used this command: openssl req -in
client.csr -noout -text) i get "unable to load X509 request". 

Is this happening because the CSR does not contain the signature of private
key or the CSR is faulty.

Kindly help me.

Regards,
Bharathi



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
 

Regards,
 
Paul Yang


Regards,

Paul Yang


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

R: CSR with only public key

Francesco Petruzzi

Yes Paul, you are right. Real CA must never accept CSR without verifying the signature.

 

Francesco Petruzzi

 

Information Security Manager

Innovery SpA

Via Farini, 81 – 20159 Milano

Cell.         +39 320 170 4978

 

Da: Paul Yang [mailto:[hidden email]]
Inviato: giovedì 12 settembre 2019 10:46
A: Francesco Petruzzi
Cc: [hidden email]
Oggetto: Re: CSR with only public key

 

Dare any CA proceed to sign a CSR without verifying the signature…

 

Maybe there are scenarios we are not aware about...



On Sep 12, 2019, at 4:41 PM, Francesco Petruzzi <[hidden email]> wrote:

 

Sign request with a fake private key and hope the client do not require signature verification.

 

Regards

Francesco Petruzzi

 

Da: openssl-users [[hidden email]] Per conto di Paul Yang via openssl-users
Inviato: giovedì 12 settembre 2019 09:51
A: Bharathi Prasad
Cc: Openssl Users
Oggetto: Re: CSR with only public key

 

How could you create the CSR with only public key?

 

On Sep 12, 2019, at 3:50 PM, Bharathi Prasad <[hidden email]> wrote:

 

Hi,
I have the public key of the client but not the private key. I am required
to generate a CSR with only public key. I understand private key is required
for Proof of Possession. However, as per my requirement I am supposed to
create CSR only with public key and my CA would create a certificate. 

I was able to create a CSR with CX509CertificateRequestCertificate and
CX509Enrollment classes using the available public key. When I try to read
the contents the of CSR in openssl (i used this command: openssl req -in
client.csr -noout -text) i get "unable to load X509 request". 

Is this happening because the CSR does not contain the signature of private
key or the CSR is faulty.

Kindly help me.

Regards,
Bharathi



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html

 


Regards,

 

Paul Yang

 


Regards,

 

Paul Yang

 

Reply | Threaded
Open this post in threaded view
|

Re: CSR with only public key

Kyle Hamilton
In reply to this post by Bharathi Prasad
If a CA signs a certificate without proof of possession of the private key, the CA is enabling whoever does have that private key to look as though they are the one who they sign the certificate for (i.e., impersonation).  The entire structure of PKI (the binding of the public half of a keypair to some external identity) depends on this not happening.

More importantly, in the situation where the person submitting the unsigned request can't prove possession, they know it is a situation where either the private key is lost (and the certificate would be useless anyway) or that impersonation is simply guaranteed.

There might be a scenario desired where the generation of the CSR isn't done by the holder of the private key internal to a company (perhaps because the holder of the private key is otherwise extremely busy), but because there's no way to tell if that limited scenario is different from the other scenarios based on available evidence, publicly trusted CAs are required (by rules of the CABF) to reject non-proof-of-possession scenarios entirely.

To answer your question, yes the error is because the request wasn't signed with the private key.  As such, it's not a complete request, and doesn't match the expected ASN.1 structure.

-Kyle H


On Thu, Sep 12, 2019, 02:47 Bharathi Prasad <[hidden email]> wrote:
Hi,
I have the public key of the client but not the private key. I am required
to generate a CSR with only public key. I understand private key is required
for Proof of Possession. However, as per my requirement I am supposed to
create CSR only with public key and my CA would create a certificate.

I was able to create a CSR with CX509CertificateRequestCertificate and
CX509Enrollment classes using the available public key. When I try to read
the contents the of CSR in openssl (i used this command: openssl req -in
client.csr -noout -text) i get "unable to load X509 request".

Is this happening because the CSR does not contain the signature of private
key or the CSR is faulty.

Kindly help me.

Regards,
Bharathi



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
Reply | Threaded
Open this post in threaded view
|

Re: CSR with only public key

OpenSSL - User mailing list
In reply to this post by Bharathi Prasad
>    I used CX509CertificateRequestCertificate  class to create CSR with only
    public key.
   
 
Those functions/classes/names/whatever are not part of OpenSSL.

The OpenSSL "req" command cannot process as CSR unless it is signed by the private key.  If you have a requirement to sign a CSR with the public key, then probably other things within OpenSSL will not be able to handle it.
 

Reply | Threaded
Open this post in threaded view
|

Re: CSR with only public key

Viktor Dukhovni
In reply to this post by Bharathi Prasad
On Thu, Sep 12, 2019 at 12:50:23AM -0700, Bharathi Prasad wrote:

> I have the public key of the client but not the private key. I am required
> to generate a CSR with only public key. I understand private key is required
> for Proof of Possession. However, as per my requirement I am supposed to
> create CSR only with public key and my CA would create a certificate.
>
> I was able to create a CSR with CX509CertificateRequestCertificate and
> CX509Enrollment classes using the available public key. When I try to read
> the contents the of CSR in openssl (i used this command: openssl req -in
> client.csr -noout -text) i get "unable to load X509 request".
>
> Is this happening because the CSR does not contain the signature of private
> key or the CSR is faulty.

The input is not a valid PEM-encoded CSR.  Perhaps it is
DER encoded.  To test:

    openssl req -inform DER -in client.csr -text

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: CSR with only public key

Walter H.
In reply to this post by Bharathi Prasad
Hey,

Try calculating the private Key from the public key ;-)
but this can last a little time you don't have;

Walter

On Thu, September 12, 2019 09:50, Bharathi Prasad wrote:
> Hi,
> I have the public key of the client but not the private key.
> ...
>
> Regards,
> Bharathi


Reply | Threaded
Open this post in threaded view
|

Re: CSR with only public key

Bharathi Prasad
In reply to this post by Viktor Dukhovni
Hi,
Thanks for the prompt replies. I agree signature from private key should be
present in a CSR. However, as per RFC 2511, Proof Of Possession is optional
though it strongly recommends to have it.

I was able to create the CSR with only public key. I was unintentionally
adding an extra line at the end while writing to a file. That is the reason
for the error. However, i have rectified it and now i am able to view the
CSR contents with openssl req command.

I am yet to check if I can get a valid certificate from my CA. But thanks
for the help.

Regards,
Bharathi




--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
Reply | Threaded
Open this post in threaded view
|

Re: CSR with only public key

Bharathi Prasad
In reply to this post by Kyle Hamilton
You are right. Cannot create a certificate with CSR containing only public
key.

Thanks for the explanation.



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html