Yes Paul, you are right. Real CA must never accept CSR without verifying the signature.
Francesco Petruzzi Information Security Manager Innovery SpA Via Farini, 81 – 20159 Milano Cell. +39 320 170 4978 Da: Paul Yang [mailto:kaishen...@alipay.com] Inviato: giovedì 12 settembre 2019 10:46 A: Francesco Petruzzi Cc: openssl-users@openssl.org Oggetto: Re: CSR with only public key Dare any CA proceed to sign a CSR without verifying the signature… Maybe there are scenarios we are not aware about... On Sep 12, 2019, at 4:41 PM, Francesco Petruzzi <francesco.petru...@innovery.net<mailto:francesco.petru...@innovery.net>> wrote: Sign request with a fake private key and hope the client do not require signature verification. Regards Francesco Petruzzi Da: openssl-users [mailto:openssl-users-boun...@openssl.org] Per conto di Paul Yang via openssl-users Inviato: giovedì 12 settembre 2019 09:51 A: Bharathi Prasad Cc: Openssl Users Oggetto: Re: CSR with only public key How could you create the CSR with only public key? On Sep 12, 2019, at 3:50 PM, Bharathi Prasad <barati.j.pra...@gmail.com<mailto:barati.j.pra...@gmail.com>> wrote: Hi, I have the public key of the client but not the private key. I am required to generate a CSR with only public key. I understand private key is required for Proof of Possession. However, as per my requirement I am supposed to create CSR only with public key and my CA would create a certificate. I was able to create a CSR with CX509CertificateRequestCertificate and CX509Enrollment classes using the available public key. When I try to read the contents the of CSR in openssl (i used this command: openssl req -in client.csr -noout -text) i get "unable to load X509 request". Is this happening because the CSR does not contain the signature of private key or the CSR is faulty. Kindly help me. Regards, Bharathi -- Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html Regards, Paul Yang Regards, Paul Yang
