Skip to content

Expectations for private key rotation when rotating a certificate #185

New issue
New issue
Open
Open
Expectations for private key rotation when rotating a certificate#185
Labels
documentationImprovements or additions to documentationqueryA question or request for clarificationrequest for feedbacka request for the community to provide input on this issue
@CDR-Register-Stream

Description

@CDR-Register-Stream
CDR-Register-Stream
opened on Sep 1, 2021

A question has been raised, Can duplicate CSRs be used when reissuing a certificate?

Upon investigation, when a CSR is generated for the same domain (common name), same metadata and using the same private key, an identical CSR is generated. This can be replicated using the following commands:

openssl req -new -newkey rsa:2048 -nodes -out test_com.csr -keyout test_com.key -subj "/C=AU/ST=NSW/L=Sydney/O=CSR/CN=test.com"

openssl req -new -key test_com.key -nodes -out test_com2.csr -subj "/C=AU/ST=NSW/L=Sydney/O=CSR/CN=test.com"

cmp test_com.csr test_com2.csr

If duplicate CSRs are not permissible, then the ACCC is imposing private key rotation requirements on participants as it is tightly coupled to certificate rotation requirements.

Expectations need to be set on:

  • How certificate rotation will function
  • Are duplicate CSRs permissible within the certificate management processes and if not;
  • Where the line is drawn on private key rotation requirements

Metadata

Metadata

Assignees

No one assigned

    Labels

    documentationImprovements or additions to documentationqueryA question or request for clarificationrequest for feedbacka request for the community to provide input on this issue

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions