Search code examples
powershellsslautomationwebserverssl-certificate

When is the private key generated in the SSL certificate request process?

I am completely new to the world of SSL and certificate registration, so please excuse my ignorance. I've recently been tasked with automating our certificate renewal and issuance process via PowerShell, and I'm trying to wrap my head around the process.

I understand that a private key is stored server-side which is used in the encryption/decryption process, but I'm not sure when that private key is generated. Does this occur when the CSR is generated, or is the private key only created when the certificate is received and installed from the CA?

I've done some testing wherein I created self-signed certificates and I'm able to find a private key via OpenSSL, but I'm just not sure where it came from. Any insight would be appreciated!

Solution

  • Does this occur when the CSR is generated

    Yes either when, or before the CSR is generated. The key component of the CSR is the public key - and the public key is effectively a subset of the information that makes up the private key (which is why we sometimes call it a key pair).

    So, in order for you to generate a CSR, you first need a key pair.

    Worth noticing is that since the CSR and resulting Certificate only contains the public part of the key, it's safe to exchange over channels where privacy can't be guaranteed.

       Server                         CA
     |                             |
1. Create key-pair                 |
     |                             |    
2. Create CSR w/pub-key            |
     |                             |
3. Send CSR to CA ---------------->|
     |                             |
     |                  4. Vet ownership claims in CSR
     |                             |
     |                  5. Issue signed Certificate
     |                     signature must span the pub-key
     |                             |
     |<---------------- 6. Send Certificate back
     |                             |
7. Install signed cert             |
     |                             |
8. Decrypt traffic using priv key  |
     |                             |
     |                             |

    Notice that at no point does the private key leave your server - it's not comething the CA generates for you, so it must exist prior to you generating your CSR

    I've done some testing wherein I created self-signed certificates and I'm able to find a private key via OpenSSL, but I'm just not sure where it came from.

    Worth noting is that when you create a new CSR or self-signed certificate with tools like openssl req or the IIS Manager, the tools silently generate the key for you unless you explicitly specify one - for IIS specifically, see this related ServerFault answer