How can I create a Certificate Signing Request (CSR) from an existing public key of a key pair (assuming the private key is in a safe spot elsewhere)?

Question

I'm using OpenSSL. All references of openSSL focus on the following two commands to create a CSR; One require you to input an already existing private key (and derives the public key???) and the second will create a new key pair. I want to use MY public key not create a new one.

Create a CSR and private key:

openssl req -newkey rsa:2048 -keyout my.key -out my.csr

Create a CSR from an existing private key:

openssl req -key my.key -out my.csr

For the first option i don't see why you need the private key as a parameter in the command. I see a lot of websites saying that the CSR is encrypted, but that does not seem to be true. If you drop a CSR into a CSR decoder (ie http://www.sslshopper.com/csr-decoder.html) then it can be parsed; thus my only conclusion is that it is only encoded NOT encrypted.

Why is the private key inputted into these commands? How is the private key even utilized? If it is encrypting something, what is it encrypting?

If it is not used, can someone please tell me how to create a CSR with just the public key of my key pair?

Thanks in advance

Answer 1

CSRs are signed using the private key to prevent tampering in transit to the CA. Accordingly, you need the private key to create one.

It is possible to create a CSR that has no signature, but such constructions are not common and the openssl binary itself has no provisions for creating them.

When generating a new CSR+key pair using the openssl command you listed first it is not encrypting the CSR (as that's not a desirable behavior. The CSR is the public data you submit, not secret information), but rather the private key.