Certificate Request and Private Keys

I am trying to gain a better understanding of SSL certificates. When you generate a CSR request the password used to create the CSR is the private key and the CRT file generated by your CA is the public key correct
LVL 21
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kent DyerIT Security Analyst SeniorCommented:
Basically, the way that cert works, is that you as the user would make a request on secure link (SSL: Secure Sockets Layer).  The application does a check - is the resource I am connecting to have a good certificate (not damaged)?  OK, good - is the certificate not expired (it does a comparison between today's date and when the cert expires)?  You can view a cert in a browswer when trying to order something online, for example.  I always check to see if the cert is valid and up-to-date.  I know this is a very high-level overview, but should help give you the "lay of the land" so to speak.

What is your level of encryption?  Is it 1024 or 2048 - bit?  Is this a self-signed or is this from Thawte or Verisign?  Just as an FYI, you can create your own cert using JDK..  There are many avenues to get certs from, both commercially and internal to your organization..  Do you have one that is coming up on an expiration?

Are you just trying to learn?  There is way more to learn, than just a couple sentences here.  I know I may not be answering your question - as you are asking some kind of security-specific questions.

Is this domain cert, machine cert?  Is this put into place by a senior-level admin?  You need to be very careful when dealing with security certs, tokens, VPNs, etc.


Dave HoweSoftware and Hardware EngineerCommented:
Not exactly.

A certificate signing request contains the public key already, plus further details (such as the name of the expected recipient, contact details and so forth) and is digitally signed by the private key that matches the public key.

In creating a certificate, the CA copies the public key and other details over from the CSR, adds some additional data (signing authority, possibly a CA cert path, certainly constraints such as "can't sign other certs" and a start and end date, plus their own cert's fingerprint) then digitally signs it with their own private key.

this certificate is then asserted verbatim to clients - who use the public key within to encode their data, which you then use the private key to decrypt.
compdigit44Author Commented:
Thanks for the replies everyone.

My problem is that I am not understanding the technical details of the CSR process. I konw what a CSR is and what is it used for.

Here are my questions.
1) What is a password needed to create a CSR?
2) When you purchase a Certificate from Verisign for example this is your public key correct? Where and how does the private key get generated.
3) What is the difference in the various certificate file formats: .CRT, p12 etc
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

Dave HoweSoftware and Hardware EngineerCommented:
1) It isn't. most CSRs don't have a password
2a) The certificate is generated from the CSR - if you get the CSR right, so is the certificate
2b) when you generate the CSR you also generate the private key. the private key never leaves the machine it is generated on though (unless you explicitly move it)
3) very little, just different encodings of the same data.
Essentially, there are only three objects - a cert, a private key, and a csr
you can encode each by three different standards - der (which is a binary format), pem (which is basically base64 encoding on the der format) or rsa (pkcs#whatever)
you can also have more than one item in a single file, if the format supports it - for pem, that is just putting them in the same file (literally) but for pkcs, there is a specific format for each type - 7 is one or more certificates, and 12 is basically 7 plus the secret key.

Seriously though, what you need to do is download http://sourceforge.net/projects/xca and play - that can generate CSRs, private keys and certificates, export them in various formats, and act as a CA (so signing a CSR into a cert, or creating a cert already signed by its CA.

you will learn more playing with xca for half an hour or so than an entire bookful of guides :)
Dave HoweSoftware and Hardware EngineerCommented:
oh, and I forgot to add - the *instructions* for xca are at http://xca.sourceforge.net/ :)
compdigit44Author Commented:
Thanks for the reply..

I'm going to check out the links you posted later today!!!

The item that keeps stumping me is the fact that last couple of times I created a CSR the program or app required a password. I always assumed this was used at the private key but from your description it is not..
Dave HoweSoftware and Hardware EngineerCommented:
no, you *can* password protect your CSR - but no CA will insist on this, so a non-passworded PEM or PKCS CSR is perfectly acceptable too.

The secret key is another matter - it is common to protect that (in standalone systems, less so for things like web browsers or windows) with a passphrase, but that has little to do with CSRs. for OpenSSL (for instance) it will prompt for a password, but that is for local protection of the private key and not the CSR itself.

In either case, the private key never leaves the machine that creates it - the CSR does not contain the private key.
compdigit44Author Commented:
Still having a hard time understanding how the private key is generated in relation to the csr...

I did download the tool you suggested and checking it out now..
Dave HoweSoftware and Hardware EngineerCommented:
It depends on how you are generating your CSR.
Most CSR tools will generate a private key unless you give them one already prepared. In windows, the default for most packages is to stick the unmatched key into the local keystore (firefox of course sticks it in *it's* keystore, and openssl saves it into a PEM formatted file)

with XCA, you can take either route. you can either select a key already generated, or generate a new key - either way, the key goes into the xca keystore, and will be matched up automatically if you import a valid certificate from the CSR you create.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.