Home / server / Questions / 286102
Accepted
kim3er
Asked: 2011-07-02 02:55:02 +0800 CST

Can I reuse a SSL CSR?

  • 772

I've generated a self certified SSL cert for testing a new web site. The time has come for the site to go live and I now want to purchase a cert from GeoTrust. Can I use the same CSR that I generated for the self cert, or do I need to create a new one?

Rich

ssl csr

4 Answers

  1. Best Answer

    As long as your using the same key, domain (aka common-name), contact details and validity period you should be able to use the same CSR.

    Though to be honest generating a CSR is a pretty simple job, so if you need to amend the contact details (which a lot of SSL providers are strict on) it's not a big deal.

    • 27

  2. For your example case, I don't think it's worth trying to reuse CSRs. However, for a large diverse team Apple iOS developers (like I have) there is a good reason to do this. We create (actually, ask Apple to create) all our signing certs and push certs off the same private key. That way we can all collaborate easily on our 85+ apps. For this reason, we keep a single CSR lying around and always use the same one for as long as the key is valid.

    As far as I know, there is no reason to repeatedly generate CSRs from a single private key. I'd love to be corrected if I am wrong.

    • 18

  3. The main benefit of having limited-duration certificates is to reduce the damage if your private key is leaked. Somebody possessing the private key can otherwise impersonate being you forever if you reuse the CSR, because re-using the CSR implies reuse of your private key as well.

    Please don't do that, it's better to automate generation of both the private keys as well as the CSRs and find convenient ways to distribute the ever-changing private keys to application build servers and push servers. Most mere mortal developers would normally never need to do a release/distribution-build for the app store anyhow, so won't need the private keys.

    • 7

  4. You can indeed in theory reuse the same CSR, as this is just a container for

    • your Public Key (only Numbers used for RSA encryption (specific maths) )
    • your "Subject" details (who you are, what domain, etc ...) Text used to Identify the owner of that Public Key

    This is what a certificate (short for PublicKey Certificate) is about after all

    But as noted in other answers, it is a good pratice to change private key regularly, so that implies new Certificate, and so new CSR to get it.

    You can easily look at the contents of a CSR

    e.g.

    $ openssl req -new -batch -subj "/CN=My Common Name/OU=My Org Unit/O=My Organisation" -sha256 -newkey rsa:2048 -keyout private.key -nodes -out request.csr
Generating a 2048 bit RSA private key
.............................................................................................+++++
.........+++++
writing new private key to 'private.key'
-----

$ ls
private.key  //  keep that private, the PublicKey side is easily be generated from this
request.csr // your PublicKey + Subject details

    CSR

    $ openssl req -in request.csr -text -noout
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: CN = My Common Name, OU = My Org Unit, O = My Organisation
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:                    ///////// Matches the PrivateKey modulus
                    00:b1:e8:de:e6:bf:21:45:51:75:15:23:5e:6e:7a:
                    7d:95:53:e5:d5:ec:5b:38:cd:7f:38:2d:53:8a:54:
...
                    fe:b5:78:de:9b:c1:ee:c1:51:6f:fd:fb:0e:62:09:
                    03:87
                Exponent: 65537 (0x10001)   ///////// Matches the PrivateKey publicExponent
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         a1:44:1f:b2:ec:c0:82:bc:99:da:69:ce:3e:77:9f:46:51:95:
...
         3b:2d:84:e3:73:ac:be:c8:da:29:fd:62:90:11:dd:8a:a6:4f:
         7b:f8:ac:f1

    And PrivateKey 

    $ openssl rsa -in private.key -text -noout
// all the below are numbers that takes part in Mathematical encryption (search for RSA maths)
RSA Private-Key: (2048 bit, 2 primes)

// The Numbers that can be freely published
modulus:
    00:b1:e8:de:e6:bf:21:45:51:75:15:23:5e:6e:7a:
    7d:95:53:e5:d5:ec:5b:38:cd:7f:38:2d:53:8a:54:
...
    fe:b5:78:de:9b:c1:ee:c1:51:6f:fd:fb:0e:62:09:
    03:87
publicExponent: 65537 (0x10001)

// The Numbers that must be kept private !
privateExponent:
    0a:81:73:d8:30:65:28:90:bc:d7:38:b5:74:d4:aa:
...
    b1:9b:30:2e:a2:dd:46:c1:10:0f:b0:da:ac:b6:ea:
    01
prime1:
    00:e0:28:01:87:95:70:d0:b8:21:07:e0:4f:96:a6:
...
    66:28:8f:3d:d7:eb:e6:b4:81
prime2:
    00:cb:2e:fe:1b:b6:30:ea:8d:9e:6d:23:83:d8:b6:
...
    4d:64:39:5c:9c:18:a0:14:07
exponent1:
    22:e2:36:f2:b9:af:f7:db:5f:d0:90:f8:f1:d1:ff:
...
    3a:31:a8:87:2c:c0:17:81
exponent2:
    5a:8b:3d:77:f1:ef:c8:86:85:a4:13:20:8d:31:a4:
...
    a5:ba:1e:37:fd:8d:50:7f
coefficient:
    00:d3:d3:b6:81:4b:a9:c2:aa:ff:e1:07:cb:de:ea:
...
    5c:e9:3b:d3:f7:67:82:c3:7f
    • 2