Dear all, We are using C# with bouncy castle .net library to implement a feature. Let us say we work as a website_A to generate CSR for end customer, then end customer will take the CSR we generate to our business partner website_B to acquire a certificate.
Previously it worked perfectly fine. Note keyPair.Public and keyPair.Private are from the same RSA key pair. The generated CSR can be validated without any issue here https://certlogik.com/decoder. Pkcs10CertificationRequest request = new Pkcs10CertificationRequest( "SHA256withRSA", new X509Name(subject), keyPair.Public, null, keyPair.Private); However, our business partner website_B wants to validate that any CSR submitted/uploaded by end customer is not only valid but indeed generated by us (website_A). So we create a new pair of RSA keys and pass the new public key to website_B and use the new private key to sign any new CSR. So our code is updated as below. Please note that keyPair.Public and newKeyPair.Privae are from different pairs of RSA keys. The code can still generate CSR, but fail on validation such as https://certlogik.com/decoder. Weird enough though our business partner website_B can still parse/decode the new format of CSR with newKeyPair.Public we pass to them, if CSR validation step is skipped. Pkcs10CertificationRequest request = new Pkcs10CertificationRequest( "SHA256withRSA", new X509Name(subject), keyPair.Public, null, newKeyPair.Private); So my questions are: 1) Is our business partner website_B requirement of digital signature of CSR (so that they can be sure the CSR is generated by us) sound? 2) If yes how we can attach the digital signature of CSR with the original CSR. Please note Pkcs10CertificationRequest can only take one private key. Do we have to create a CSR and separately create a signature so that both of them can be uploaded to website_B? 3) Is there another way to digitally sign CSR with different pair of private key? Thanks, Roger
