2

Public and private-key pair will be generated during the creation of CSR on our server. We will send the CSR and public key to CA by holding private key with us. CA will validate our public key before signing it with private key of CA's root certificate. We are having our own CA team to certify the CSR requests. My queries are as follows:

  1. Will CSR itself includes public key or do we need to provide public key separately to CA ?
  2. Will CSR be signed by our public key before sending it to CA (or) CSR hold public key besides it?
  3. Will CA sign over only over CSR (or) on the combined set of CSR + public key.?
  4. Should we install CA's root and intermediate certs in our trust store both on the client and server side? since we are using our own CA instead of Global CA.
  5. When we are presenting server certificate to client, will that cert includes public key of server.?
  6. Should we install the server's public key in the truststore of clients for encryption purpose?

Thanks for the help, in advance.

AnilReddy
  • 212
  • 2
  • 13
  • 1
    Steffan went above and beyond. I'd accept his answer on your behalf if I could. The one thing I'd change is that his answer is based on how most web servers validate certs and not MQ. Depending on which version of MQ you use and for newer versions what the validation policy is set to, you may in fact need to load the intermediate signers into your keystore. At one point it was not possible to receive your signed CSR without the complete signer chain present. – T.Rob Nov 26 '15 at 18:10

1 Answers1

5

Will CSR itself includes public key or do we need to provide public key separately to CA ?

The public key is inside the CSR

Will CSR be signed by our public key before sending it to CA (or) CSR hold public key besides it?

The CSR is signed by your key. The public key is not enough but the private is needed for signing.

Will CA sign over only over CSR (or) on the combined set of CSR + public key.?

The CA will extract the information from the CSR including the public key and sign it. It will not sign the CSR itself.

Should we install CA's root and intermediate certs in our trust store both on the client and server side? since we are using our own CA instead of Global CA.

Only the root needs to be stored at the client as trust anchor. The intermediate certs should be send by the server together with the servers certificate inside the SSL handshake.

When we are presenting server certificate to client, will that cert includes public key of server.?

Yes, a certificate is the public key and additional information like subject (hostname).

Should we install the server's public key in the truststore of clients for encryption purpose?

No. The client will get the certificate during the SSL handshake. You only want to know about the servers certificate or public key before doing the handshake if you use certificate pinning.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • Thanks Steffen, Below queries had raised after reading your response. We are signing the CSR with public key and CA is signing with private key of root. And you are saying public key will be exchanged during the handshake – AnilReddy Nov 20 '15 at 14:20
  • 1
    @AnilReddy: signing is always done with the private key. And the public key is part of the certificate which gets sent to the client inside the SSL handshake. – Steffen Ullrich Nov 20 '15 at 14:29
  • If we exchange public key in the SSL hand shake, how can we encrypt the data before we send it to remote. If we use Asymmetric encryption, we can encrypt it with our public key, but remote can't decrypt it, since we will be holding the private key. In the case of symmetric encryption, we are exchanging the key, so third party can easily decrypt it. – AnilReddy Nov 20 '15 at 14:35
  • 1
    @AnilReddy: your question moves way out of scope of this forum and is better suited for security.stackexchange.com. In fact I recommend you to study the answers to [How does SSL/TLS work?](http://security.stackexchange.com/questions/20803/how-does-ssl-tls-work) in this forum. – Steffen Ullrich Nov 20 '15 at 15:22