Certificate Signing Request (CSR) Explained (Bare Metal Cloud Security Series)

In my last video, I discussed public key infrastructure or PKI. Now, I want to dive a little deeper and look at how certificates are actually requested and issued. And that's the subject for today called certificate signing request or CSR. The goal here is to create a certificate that contains a public key and identifies the owner. These certificates are called X.509. To get started, first we'll create a public and private key pair. By the way, if you want to understand how these keys are created, check out my video covering asymmetric encryption. Once the keys are created, we'll create the CSR. The CSR contains some information about the certificate. Things like uh details about the owner, expiration information, and the public key. To verify the authenticity of this request, the CSR will be signed using the private key. This is called a signature. Now the signature is kind of important. So let me explain that next. A signature is made up of two operations. First a hash digest called a fingerprint. Then that fingerprint is encrypted using a private key to create the signature. Before I go further, I need to take a slight detour and talk about signatures and encryption. A public key is used to encrypt traffic for web requests. But with a signature, we use the private key to encrypt. So why do we use the public key to encrypt web traffic, but use the private key to encrypt a signature? In the case of web traffic, we want to allow anyone with a public key the ability to encrypt the traffic, but only a trusted server to be able to inspect the contents of the data. For a signature, it's the opposite. We want one entity to secure the signature with encryption, but we want anyone with a public key to be able to verify the signatures authenticity. Okay, getting back on track, let's use our certificate signing request to generate a certificate authority, also called a rootcert. We'll use a tool called OpenSSL to combine our CSR with a config file. And the config file contains details about the certificate that'll be used to generate theert. We'll then be prompted to sign the newert with our private key and this will give us our root CARert. To create the other certificates in the chain of trust, you would just repeat the process where eachert would point to the issuer that validates its authenticity. In my next video, we'll create a wildcard certificate for my cloud using a tool called OpenSSL. Thanks for stopping by and I'll see you in the next video.

This video explains the process of a Certificate Signing Request (CSR), at a high level. Discover what information is included in the CSR (like the public key and owner details), and how your private key is used to create a digital signature to verify the request's authenticity. I break down the two operations that create a signature—the hash digest (fingerprint) and the private key encryption—and clarify the key difference between encrypting with a public key (for web traffic) and encrypting with a private key (for signatures). Finally, see how the CSR is used with tools like OpenSSL to generate a Certificate Authority (CA) or root certificate and understand how the chain of trust is built. 0:00:00 - Intro 0:00:36 - Building the CSR and its contents 0:00:57 - Creating the Digital Signature 0:01:57 - Using the CSR to Generate a Root Certificate Amazon Affiliate Links - My recording Studio: - Cameras https://amzn.to/4msYu7v https://amzn.to/3JtfThX - Lenses https://amzn.to/4oOsrQX https://amzn.to/41iodr0 - Audio https://amzn.to/48PkdTb https://amzn.to/463UWmp https://amzn.to/4lDJ7bb - Lighting https://amzn.to/3HRiB09 https://amzn.to/4lMxxe2 https://amzn.to/3VdqgZM https://amzn.to/4mZ10T4 - Tripods, etc. https://amzn.to/3Jo6isO https://amzn.to/3Jsu1bj https://amzn.to/3JyvQDn https://amzn.to/4mQQJbk https://amzn.to/41lFMXb