How is a self-signed certificate different from a certificate signing request

certificate-authoritycryptographyopensslself-signed-certificatessl-certificate

From the wiki page for a Certificate signing request:

In Public Key Infrastructure (PKI) systems, a Certificate Signing Request (also CSR or certification request) is a message sent from an applicant to a Certificate Authority in order to apply for a digital identity certificate.

From the wiki page for a Self-signed certificate:

In cryptography and computer security, a self-signed certificate is an identity certificate that is signed by the same entity whose identity it certifies. This term has nothing to do with the identity of the person or organization that actually performed the signing procedure. In technical terms a self-signed certificate is one signed with its own private key.

So it sounds like one would submit a CSR to a CA to get a digital identity certificate. This digital identity certificate could potentially be of the same format as a self-signed certificate (for example the Public-Key Cryptography Standards 12 format).

The key difference is: the self-signed certificate is signed by the same party that owns the private key, while the digital identity certificate returned by the certificate authority upon receiving the certificate signing request is signed using the certificate authority's private key.

Therefore the self-signed certificate is guaranteed to work for encryption but not identification, while the digital identification certificate from the certificate authority is guaranteed to work for encryption and identification.

Is this right? Would love clarification via examples.

Best Answer

the self-signed certificate is signed by the same party that owns the private key, while the digital identity certificate returned by the certificate authority upon receiving the certificate signing request is signed using the certificate authority's private key.

That is correct.

Therefore the self-signed certificate is guaranteed to work for encryption but not identification, while the digital identification certificate from the certificate authority is guaranteed to work for encryption and identification.

This gets kinda tricky. The CA signed cert is only trusted for identification because the CA is include in the pre-populated certificate store built into browsers/OS. If I didn't have a pre-populated certificate store neither of them would be trusted.

If I downloaded and verified certificate of that self-signed key and added it to my certificate store, then I could trust it for all purposes.

So from the point of view of the technology the only difference is that your self-signed cert wouldn't be built into my browser/OS.

Related Topic