可以在没有CSR且使用旧私钥的情况下颁发证书
[英]Can a Cert be issued without a CSR and using old Private Key
问题描述
I'm confused about something in the SSL renewal process using WHM/cPanel for an existing Comodo Extended Validation cert. 
对于使用WHM / cPanel的现有Comodo扩展验证证书的SSL续订过程中的某些事情,我感到困惑。
We have been issued a replacement certificate by Comodo without - I believe - every submitting a CSR for them. 我相信,Comodo已向我们颁发了替换证书,而我没有为他们提交CSR。 I say "I believe" because there are 3 people with access to WHM for this server, but I'm assured that no one has been fiddling in the last year. 我之所以说“我相信”,是因为有3个人可以访问此服务器的WHM,但可以肯定的是,去年没有人摆弄。
Does this sound possible? 这听起来可能吗? CAN a cert be supplied without a CSR if it's a replacement? 如果可以替代CSR,可以提供没有CSR的证书吗? I will attempt to get hold of Comodo but being a weekend, and seeing that the old cert runs out in a day I thought I'd consult the stackHiveMind :) 我将尝试抓住Comodo,但要度过一个周末,并且看到旧证书在一天之内就用完了,我以为我应该去找stackHiveMind :)
More info: As a test, I've tried to install the new cert and 'fetch' the existing private key, but when I try to submit that I get the following error: SSL install aborted due to error: Modulus mismatch, key file does not match certificate. 更多信息:作为测试,我尝试安装新的证书并“获取”现有的私钥,但是当我尝试提交时,出现以下错误: SSL安装由于错误而中止:模数不匹配,密钥文件与证书不匹配。 Please use the correct key file 请使用正确的密钥文件
1 个解决方案
解决方案1
5 已采纳 2012-02-18 18:37:56
In some cases, yes, you can. 在某些情况下,可以。 Assuming you have an RSA private key in PEM format, this will extract the public key (it won't generate a certificate): 假设您拥有PEM格式的RSA私钥,它将提取公钥(它不会生成证书):
openssl rsa -in key.pem -pubout -out pubkey.pem
This will create a new CSR with the public key, obtained from the private key file. 这将使用从私钥文件获得的公钥创建一个新的CSR。
openssl req -new -key key.pem -out host.csr
Note that, strictly speaking, a CA doesn't need you to submit a CSR to issue a certificate. 请注意,严格来说,CA 不需要您提交CSR来颁发证书。 All it needs is the public key (to which it will have access through your existing cert). 它需要的只是公钥(可以通过您现有的证书对其进行访问)。 It could potentially attach any Subject DN and attribute and issue it as a certificate without any need to contact you. 它可能会附加任何主题DN和属性,并将其作为证书颁发,而无需与您联系。 Of course such practices might be incompatible with their policies, but technically, it's possible. 当然,这种做法可能与其政策不兼容,但从技术上讲,这是可能的。 The CSR is merely a convenient format for you to send a public key to request a certificate, and submit the name and attributes you would like (which you all sign together). CSR只是一种方便的格式,您可以使用它发送公钥以请求证书,并提交所需的名称和属性(所有人都一起签名)。
SSL install aborted due to error: Modulus mismatch, key file does not match certificate.
Provided you've done the certificate operations properly, this could indicate that the new certificate you've been issued has been issued against a different key-pair than yours. 如果您已正确完成证书操作,则可能表明您已根据与您的密钥对不同的密钥对颁发了新证书。 This could indicate foul play, because someone else could have issued a CSR with their own key-pair and have had this certificate issued to them (which could be quite worrying since you're talking of an EV cert too, which is supposed to have additional protections against this.) 这可能表示犯规,因为其他人可能已经用自己的密钥对发出了CSR并已向他们颁发了此证书(这可能会让人很担心,因为您也正在谈论EV证书,这应该具有对此的附加保护。)
I would suggest checking with your colleagues if any have requested a new certificate or contacting your CA to find out why you've received a new certificate. 如果有任何人要求新证书,我建议与您的同事进行核对,或者与您的CA联系以了解为什么收到新证书。 Renewing the certificate using the previous public key might be part of their existing package. 使用先前的公共密钥续订证书可能是其现有软件包的一部分。 If it's using the same public key, it's not a problem, although it's better practice to change the key material, ie submit a CSR coming from a new key-pair, when renewing a certificate. 如果使用相同的公钥,这不是问题,尽管更改密钥材料是更好的做法,即在更新证书时提交来自新密钥对的CSR。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.