The Certification Request has a signature field generated by running the RSA sign operation against the fields in the request. This signature is used to perform an RSA verify using the public key in the request. The signature must be valid for most CAs to accept the request. The cryptographic term for this is "proof of possession" and it's used to prevent some attacks. -- Sent from my mobile device.
Steven Funasaki <thegreatste...@gmail.com> wrote: >I can't seem to find more detailed information on what is going on when >generating a CSR. I would like to learn more in detail how the private >key >is used to create a CSR beside just matching the public key. > > >When generate a CSR using OpenSSL you have two options: > >1) Generate a Private key when the CSR is generated > >2) Use the private key to derive a public key and use the public key to >create the CSR > >Does the CSR need to be signed with the matching private key for the CA >to >validate it? > > >Hypothetically, what if i have TWO key pairs (PubKey1, PrivKey1, >PubKey2, >PrivKey2). First thing i do is move PrivKey1 to another place. Is there >a >way where I can use PubKey1 to make the CSR (Without access to >PrivKey1), >but sign it with PrivKey2 to preserve integrity? > >Can you explain why the above scenario will not be validated by the CA?
