问题
Public and private-key pair will be generated during the creation of CSR on our server. We will send the CSR and public key to CA by holding private key with us. CA will validate our public key before signing it with private key of CA's root certificate. We are having our own CA team to certify the CSR requests. My queries are as follows:
- Will CSR itself includes public key or do we need to provide public key separately to CA ?
- Will CSR be signed by our public key before sending it to CA (or) CSR hold public key besides it?
- Will CA sign over only over CSR (or) on the combined set of CSR + public key.?
- Should we install CA's root and intermediate certs in our trust store both on the client and server side? since we are using our own CA instead of Global CA.
- When we are presenting server certificate to client, will that cert includes public key of server.?
- Should we install the server's public key in the truststore of clients for encryption purpose?
Thanks for the help, in advance.
回答1:
Will CSR itself includes public key or do we need to provide public key separately to CA ?
The public key is inside the CSR
Will CSR be signed by our public key before sending it to CA (or) CSR hold public key besides it?
The CSR is signed by your key. The public key is not enough but the private is needed for signing.
Will CA sign over only over CSR (or) on the combined set of CSR + public key.?
The CA will extract the information from the CSR including the public key and sign it. It will not sign the CSR itself.
Should we install CA's root and intermediate certs in our trust store both on the client and server side? since we are using our own CA instead of Global CA.
Only the root needs to be stored at the client as trust anchor. The intermediate certs should be send by the server together with the servers certificate inside the SSL handshake.
When we are presenting server certificate to client, will that cert includes public key of server.?
Yes, a certificate is the public key and additional information like subject (hostname).
Should we install the server's public key in the truststore of clients for encryption purpose?
No. The client will get the certificate during the SSL handshake. You only want to know about the servers certificate or public key before doing the handshake if you use certificate pinning.
来源:https://stackoverflow.com/questions/33827979/use-of-public-key-in-the-certificate-signing-request-csr