ICDSOFT Let's Encrypt CSR?


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

REALLY NEW, NEED HELP
I am using ICDSOFT to host my site. I have enabled Let’s Encrypt. I have a 3rd party that we are working with that is asking for my CSR.

How do I generate that to give them?

Here is a sample of what they need

Example:


#2

Hi @supermaneck,

What’s your domain name?

If you’ve “enabled Let’s Encrypt”, do you already have a certificate? If so, why does the third party need a CSR? Normally a CSR is used to request an additional certificate, which wouldn’t be necessary if you already have one.


#3

peerless-cleaners.com

I’ve enabled Let’s Encrypt, but the 3rd party is looking for that info that I attached in the orgiinal message.
This is so that they can securely run credit cards.


#4

Sorry, I don’t understand. This request is unusual and we’ve never encountered it before. Normally credit card processors don’t ask customers for this information.

Depending on how you obtained your certificate, you may be able to get a copy of the associated CSR. What software did you use to request the certificate?

Is there a way that you could get the third party to get in touch with us or to come participate in this forum thread to explain the purpose of wanting the CSR?

It’s not that the CSR is secret or that there’s something improper about sharing it with someone, it’s that it’s hard to understand what the benefit of the CSR to the third party would be.

  • If the third party is going to use the CSR to obtain a certificate,
    (1) it shouldn’t need to do that, because you already have a valid certificate,
    (2) the third party wouldn’t be able to obtain the new certificate without having control of your web site, and
    (3) if it obtained a new certificate, the third party wouldn’t be able to use the new certificate without access to your private key.

  • If the third party isn’t going to use the CSR to obtain a certificate, all of the information that the CSR communicates (for example, what your site’s public key and domain name are) is already publicly available within your existing valid certificate.

So I can’t really see a purpose or benefit from this, and again, this isn’t a usual request that we’ve dealt with routinely.


#5

I’d guess this is for one of two things:

  1. They want to issue the OP a client certiticate for authenticating against the API with. Old school payment providers and insurance companies often still use client-certitificate based HTTPS authentication.

  2. The OP is supposed to encrypt or sign certain API calls with their RSA private key and the provider only uses the CSR as a convienent means to transport the RSA public key.

Either way @supermaneck it has nothing to do with the Web PKI and you probably don’t want to use the same private key you use for HTTPS for it. You really should figure out why they want one before proceeding as @schoen suggests.


#6

I can add another-- I’ve had first-tier support people from processors ask for this info before, as part of an automated response / checklist when something breaks. It’s not uncommon for a CC processor to not have a CA in their trust-store, or not support SAN certs. Some won’t even bother reading any support requests until they have the CSR and issued Cert in front of them.


#7

Maybe providing them the CSR in some way proves to them that you are the owner of that public cert…?


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.