为什么必须从私钥创建证书请求（CSR）？

Question

I am trying to create a Certificate Request (CSR) from the below method where I need to give the private key, my understanding is that CSR needs/contains only the public key information with the other details about the requestor like Company Name, etc. But if extract the public key and pass while creating the CSR it throws the below error, So I am wondering why it requires a private key , although I understand private key contains the public key as well , Is it just because the public key is trusted when it's with the private key in the form of key-pair or something else ?

openssl genrsa -out ~/domain.com.ssl/domain.com.key 2048

openssl req -new -sha256 -key ~/domain.com.ssl/domain.com.key -out ~/domain.com.ssl/domain.com.csr

Trying to generate using public key:

openssl rsa -in  domain.com.key.pem -pubout domain.publickey

openssl req -new -sha256 -key domain.publickey -out cert.csr

unable to load Private Key
140258108909384:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: ANY PRIVATE KEY

Answer 1

The whole point of the certificate is to establish a relationship between the private key and you as the identity in the certificate.

• The CSR is signed by the private key and verified by the CA (with the public key in the CSR), so he knows you have that key pair.
• So he verifies offline that you are who you say you are, own that domain, etc., then he signs it with his private key.
• So then if a third party trusts him, he can trust what the certificate says, which is that its owner is who it says.
• Then if he can establish that the peer he is talking to owns that certificate, via another signature in the SSL handshake using your private key, he knows that the peer is you.