是否可以在没有 CSR 并使用旧私钥的情况下颁发证书
我对使用 WHM/cPanel 进行现有 Comodo 扩展验证证书的 SSL 续订过程中的某些内容感到困惑。
我相信,Comodo 已向我们颁发了替换证书,而无需为他们提交 CSR。我说“我相信”是因为有 3 个人可以访问该服务器的 WHM,但我确信去年没有人在摆弄。
这听起来可能吗?如果是替换证书,可以在没有 CSR 的情况下提供证书吗?我会尝试联系 Comodo,但是是在周末,看到旧证书一天之内就用完了,我想我应该咨询一下 stackHiveMind :)
更多信息: 作为测试,我尝试安装新的证书并“获取”现有的私钥,但是当我尝试提交时出现以下错误: SSL 安装因错误而中止:模数不匹配,密钥文件与证书不匹配。请使用正确的密钥文件
I'm confused about something in the SSL renewal process using WHM/cPanel for an existing Comodo Extended Validation cert.
We have been issued a replacement certificate by Comodo without - I believe - every submitting a CSR for them. I say "I believe" because there are 3 people with access to WHM for this server, but I'm assured that no one has been fiddling in the last year.
Does this sound possible? CAN a cert be supplied without a CSR if it's a replacement? I will attempt to get hold of Comodo but being a weekend, and seeing that the old cert runs out in a day I thought I'd consult the stackHiveMind :)
More info:
As a test, I've tried to install the new cert and 'fetch' the existing private key, but when I try to submit that I get the following error:
SSL install aborted due to error: Modulus mismatch, key file does not match certificate. Please use the correct key file
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
在某些情况下,是的,可以。假设您有 PEM 格式的 RSA 私钥,这将提取公钥(不会生成证书):
这将使用从私钥文件获取的公钥创建一个新的 CSR。
请注意,严格来说,CA 不需要您提交 CSR 来颁发证书。它所需要的只是公钥(它将可以通过您现有的证书访问该公钥)。它可能会附加任何主题 DN 和属性,并将其作为证书颁发,无需与您联系。当然,这种做法可能与他们的政策不相容,但从技术上讲,这是可能的。 CSR 只是一种方便的格式,供您发送公钥以请求证书,并提交您想要的名称和属性(大家一起签名)。
如果您已正确完成证书操作,这可能表明您颁发的新证书是针对与您的密钥对不同的密钥对颁发的。这可能表明存在犯规行为,因为其他人可能已经使用自己的密钥对颁发了 CSR,并且已向他们颁发了此证书(这可能非常令人担忧,因为您也在谈论 EV 证书,该证书应该具有针对这种情况的额外保护措施。)
我建议您与您的同事核实是否有人请求新证书,或者联系您的 CA 以了解您收到新证书的原因。使用以前的公钥更新证书可能是其现有包的一部分。如果它使用相同的公钥,则不是问题,尽管更好的做法是更改密钥材料,即在续订证书时提交来自新密钥对的 CSR。
In some cases, yes, you can. Assuming you have an RSA private key in PEM format, this will extract the public key (it won't generate a certificate):
This will create a new CSR with the public key, obtained from the private key file.
Note that, strictly speaking, a CA doesn't need you to submit a CSR to issue a certificate. All it needs is the public key (to which it will have access through your existing cert). It could potentially attach any Subject DN and attribute and issue it as a certificate without any need to contact you. Of course such practices might be incompatible with their policies, but technically, it's possible. The CSR is merely a convenient format for you to send a public key to request a certificate, and submit the name and attributes you would like (which you all sign together).
Provided you've done the certificate operations properly, this could indicate that the new certificate you've been issued has been issued against a different key-pair than yours. This could indicate foul play, because someone else could have issued a CSR with their own key-pair and have had this certificate issued to them (which could be quite worrying since you're talking of an EV cert too, which is supposed to have additional protections against this.)
I would suggest checking with your colleagues if any have requested a new certificate or contacting your CA to find out why you've received a new certificate. Renewing the certificate using the previous public key might be part of their existing package. If it's using the same public key, it's not a problem, although it's better practice to change the key material, i.e. submit a CSR coming from a new key-pair, when renewing a certificate.