Can I use an exsisting csr file?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Can I use an exsisting csr file?

jim.armstrong
openssl version -a returns OpenSSL 0.9.8g - Platform: debian-i386-i686/cmov

There's an existing csr file on the server.  Can I use this csr file or do I need to generate a new one?  All the info on the existing file is accurate and it's 2048 bit.  So no changes need to be made to it.  If I needed to generate a new one. I'd simply use the existing one to fill out the fields.

Thanks
Reply | Threaded
Open this post in threaded view
|

RE: Can I use an exsisting csr file?

Edward Ned Harvey (openssl)
> From: [hidden email] [mailto:owner-openssl-
> [hidden email]] On Behalf Of jim.armstrong
>
> openssl version -a returns OpenSSL 0.9.8g - Platform:
debian-i386-i686/cmov
>
> There's an existing csr file on the server.  Can I use this csr file or do
I
> need to generate a new one?  All the info on the existing file is accurate
> and it's 2048 bit.  So no changes need to be made to it.  If I needed to
> generate a new one. I'd simply use the existing one to fill out the
fields.

If you generate a CSR, and let's suppose it's valid for 1 year, so a year
later you return to the same directory where you previously created your
CSR, and you're now considering reusing last year's private key and CSR, as
opposed to generating a new private key and a new CSR exactly like you did
last time...

You *can* reuse last year's CSR, but you shouldn't.  The more data you
encrypt using a specific key, the more prone it will be to attack.  The
whole time you're using your key, it's conceivable somebody's listening to
all the data, looking for signs of collision, and the more data you encrypt
with it, the more likely an eventual collision actually is.  A collision
doesn't automatically give up data, but it can't help, it can only harm.  So
you want to avoid it, however improbable and however insignificant it
probably is.  I forget exactly how to calculate the amount of encrypted data
before expected collision, but it's not astronomical.  It is worldly.  If
you set your servers to busy work trying to accidentally run into a
collision, you can do it.  The amount of data calculation is in one of my
text books, but the point is:  

There's no good reason to reuse last year's key; and however improbable and
however insignificant the possibility of problems, there is a good reason to
generate a new one.  Which then necessitates a new CSR.  It is best practice
to generate a new key & CSR.  Don't reuse last year's, even though you can.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]