Is the CA allowed to change the CSR before signing?

Question

Is the CA allowed to change the CSR before signing?

Can someone tell me if Certification Authorities (CAs) can make changes to the Certificate Signing Request (CSR) before actually signing the certificate with their private key?

Specifically, I would like to know if it is valid for the CA to add additional fields (like EKU) to the certificate before adding their signature.

+1

csr digital-certificate pki certificate-authority

Ragesh 06 nov. '08 at 7:30

source to share

2 answers

I can't talk about CA at all, but I once ran a Windows Server 2003 network with my own CA and it is definitely possible certreq

(via an option -attrib

) to add additional fields to the CSR before it gets to the CA. So it seems to me that the CA can do the same.

Your mileage may vary.

0

Chris jester-young 06 nov. '08 at 7:54

source to share

J hunt · Accepted Answer · 2008-11-06T12:58:05+0000

Yes

The CA is responsible for enforcing the organization's PKI security policies through its policy files and templates. This can include EKU (Extended Key Usage) attributes.

In effect, you are requesting a certain type of certificate from a CA on behalf of your subject. It is up to the CA to provide the type of certificates (and associated uses) that it will issue.

The CA does not actually modify the request in the same way that it issues an authorized type certificate.

Is the CA allowed to change the CSR before signing?

More articles: