A question has been raised, Can duplicate CSRs be used when reissuing a certificate?
Upon investigation, when a CSR is generated for the same domain (common name), same metadata and using the same private key, an identical CSR is generated. This can be replicated using the following commands:
openssl req -new -newkey rsa:2048 -nodes -out test_com.csr -keyout test_com.key -subj "/C=AU/ST=NSW/L=Sydney/O=CSR/CN=test.com"
openssl req -new -key test_com.key -nodes -out test_com2.csr -subj "/C=AU/ST=NSW/L=Sydney/O=CSR/CN=test.com"
cmp test_com.csr test_com2.csr
If duplicate CSRs are not permissible, then the ACCC is imposing private key rotation requirements on participants as it is tightly coupled to certificate rotation requirements.
Expectations need to be set on:
- How certificate rotation will function
- Are duplicate CSRs permissible within the certificate management processes and if not;
- Where the line is drawn on private key rotation requirements
A question has been raised, Can duplicate CSRs be used when reissuing a certificate?
Upon investigation, when a CSR is generated for the same domain (common name), same metadata and using the same private key, an identical CSR is generated. This can be replicated using the following commands:
If duplicate CSRs are not permissible, then the ACCC is imposing private key rotation requirements on participants as it is tightly coupled to certificate rotation requirements.
Expectations need to be set on: