In the “TLS Basic” lesson of the “Security” Module, at timestamp 12:39, the private key (my-bank.key) is being used to generate the “my-bank.csr”. However, at timestamp 15:22, it is shown that the server’s public key is sent to CA to be signed.
Could you please clarify this ambiguity.
Thanks
No actual ambiguity. There are two different things happening in this part of the lecture, and they are separate in time. @12:39 he’s talking about creating the CSR file. If you read the article from Wikipedia, it says that
The CSR usually contains the public key for which the certificate should be issued, identifying information (such as a domain name) and a proof of authenticity including integrity protection (e.g., a digital signature).
So the CSR includes the information we want encoded in the certificate (CRT), the public key of the owner of the future certificate, and a cryptological signature to prove that the creator of the CSR possesses the private key corresponding to the public key supplied. But the CSR does not actually contain the private key – it only uses it to sign the CSR.
@15:22, the creator of the new certificate extracts the data from the CSR, and it also extracts the public key that was encoded into the CSR; it packages them up as an x509 certificate, signing the package with the certificate authorities private key. Once the creator of the cert gives a copy to the owner of the CSR, the combination of the CRT file and the CSR owner’s private key can be used to identify the that person or entity.
So these are two distinct operations, done at different times, by different programs.
Hi Rob,
Thanks for clarification. I got it. The public key is actually embedded in the command shown @12:39 because its pair is used to sign it. The rest is clear, Thanks again