From the wiki page for a Certificate signing request:
In Public Key Infrastructure (PKI) systems, a Certificate Signing Request (also CSR or certification request) is a message sent from an applicant to a Certificate Authority in order to apply for a digital identity certificate.
From the wiki page for a Self-signed certificate:
In cryptography and computer security, a self-signed certificate is an identity certificate that is signed by the same entity whose identity it certifies. This term has nothing to do with the identity of the person or organization that actually performed the signing procedure. In technical terms a self-signed certificate is one signed with its own private key.
So it sounds like one would submit a CSR to a CA to get a digital identity certificate. This digital identity certificate could potentially be of the same format as a self-signed certificate (for example the Public-Key Cryptography Standards 12 format).
The key difference is: the self-signed certificate is signed by the same party that owns the private key, while the digital identity certificate returned by the certificate authority upon receiving the certificate signing request is signed using the certificate authority's private key.
Therefore the self-signed certificate is guaranteed to work for encryption but not identification, while the digital identification certificate from the certificate authority is guaranteed to work for encryption and identification.
Is this right? Would love clarification via examples.
That is correct.
This gets kinda tricky. The CA signed cert is only trusted for identification because the CA is include in the pre-populated certificate store built into browsers/OS. If I didn't have a pre-populated certificate store neither of them would be trusted.
If I downloaded and verified certificate of that self-signed key and added it to my certificate store, then I could trust it for all purposes.
So from the point of view of the technology the only difference is that your self-signed cert wouldn't be built into my browser/OS.
well, as long as you "trust" the CA who signed a certificate, you can ensure that the situation is safe.
and you usually do this by installing the CA certificates (signers) in your environment, so that it auto-recognizes the certificates signed by this CA and consider them as "trusted".
(sorry but i cannot comment yet so i had to use the reply button)
as a concreet example, in my company, we do have our own CA, and we have CA certificates installed in every web browser (wether it's IE, firefox etc.), when the CA "signs" our SSL certificates (used in the intranet, applications etc.. listening in SSL/TLS), and we access these applications, they are automatically recognized as safe and you don't need to click on a specific warning banner saying that the certificates being used are not trusted (because they are either self-signed, or signed by an unknown CA, or a CA we do not trust)
the CA is what is used to sign a certificate a CSR is a request you send to a CA so that they can sign you a certificate usually without having the key.
for example you would go to a CA and ask a certificate they would ask you what info and they generate a key and a cert with a CSR the key is the same they just generate a new cert. with diffrent attributes sometimes like validity dates etc...