3

I need to send a client an SSL Certificate Request (from IIS 6.0)

They have requested that it ONLY be sent encrypted using an app like Winzip.

My question is. Is this actually an issue?

My very basic understanding of certificates is that the request does not contain any information that would help a hacker in obtaining the final certificate.

Am I completely wrong?

Robin Day
  • 506
  • 1
  • 8
  • 19
  • It may not be an issue, but that's what the client is requesting and it can't do any harm to encrypt it before you send it, so I say go ahead and encrypt it as the client has asked. – joeqwerty Nov 10 '10 at 13:40
  • @joeqwerty Of course I will do as the Client requests... My question is why. – Robin Day Nov 10 '10 at 16:28

1 Answers1

6

The CSR contains only the public keys along with some extra information about the certificate. There is nothing secret in there really.

The problem is instead integrity protection: How can they be certain that they are signing the correct CSR, and that it has not been tampered with in transport. It's not very hard for a man in the middle to take your CSR and replace it with one where the MITM has control over the keys.

Therefor the transport of the CSR has to be integrity protected somehow. Encrypted container formats is one way to provide integrity protection, along with (cryptographic) hash functions or digital signatures.

pehrs
  • 8,789
  • 1
  • 30
  • 46