Csr.io - a better certificate signing request generator
csr.ioIf you're in a position to generate a CSR, you should know that you never, EVER, let anyone else generate or even see your private key (including the commercial CA from which you're requesting a certificate). By using an online utility like this, you give the site owner an important component needed to perform man-in-the-middle attacks. Don't do it, kids.
It's a nice site but allowing someone else to generate your private key isn't a good idea. The server also apparently stores the key for (at least) a day.
A safer version might instead generate the openssl(1) commands needed to generate the files on your local machine.
Nice! But really, if you want it to be useful, ship it as something people can run themselves, not as a service. BECAUSE PRIVATE KEYS.
Letting someone else generate private keys for when you aren't even sure if they have good entropy much less might be malicious?
Smart.
An alternative would be to output an OpenSSL command using the data entered in the form that the user can run locally to generate the CSR and private keys.
This would be similar to what DigiCert's CSR generator does: https://www.digicert.com/easy-csr/openssl.htm
Wow, hats off to whoever came up with this incredibly useful and perfectly safe tool. :)
(I wonder how many private keys they'll end up with. This is a cheaper if somewhat less universal attack than compromising a CA directly.)
Well from what I've looked at, it seems that at least four entities will receive copies of every key pair. One to csr.io, one to Google Adsesne, one to Google Analytics, and one for the user.
Am I the only one missing an about page? There is no info whatsoever. For example I was wondering whether the certificate would be trusted by browsers or if it's self-signed. (Well it must be self-signed, it's too easy to sign one for facebook.com now, but not everybody knows that.) Who can I contact about bugs, feature requests, etc.?
Feature request: you might want to let Javascript generate the keypair so that people stop whining about letting someone else generate the private key. Although a valid argument, this isn't going to be used in production environments anyway.... Or is it, guys?!
Feature request: Let people set the key size. Also inform people about the key size (why 4096 is probably overkill at the moment).
Bug: You don't actually mention what the tool does. It generates some sort of certificate, but people will probably be under the impression that it will work instead of spawn another one of these: http://www.page-zone.com/SSL-warning-cpanel.jpg
> For example I was wondering whether the certificate would be trusted by browsers or if it's self-signed.
It's making CSRs, not certificates.
lovely interface, but the security is rendered completely pointless as the private key is generated remotely... you can't offer a secure version of this on a remote website.
You can. It's called Javascript and there are libraries to do public key encryption.
But yes, here you are right, the cert is generated by the server in this case.
Until DomCrypt[1] is implemented there is no reliable way to implement a CSPRNG in Javascript (that I am aware of!). The only way to do this securely would be to supply a page that includes some javascript to process a secret key that the user provides to the page which would then generate the CSR. It would be more effective to write all of this sites functionality into a shell script.
I did a CSPRNG in Javascript using mouse movements for entropy: https://github.com/fusionbox/mouseware
I don't see a detailed analysis of your RNG that would support the claim that it is suitable for use as a CSPRNG.
so by doing that you're still trusting the server not to send you evil Javascript that surreptitiously posts off your private key.
it's exactly equivalent from a security perspective, unless you read every line of Javascript, in which case you might as well read the openssl manual instead and generate the CSR yourself.
(note that there's a rarely used <input> keygen type, but to sign the CSR you'd need programmatic access to the private key, again defeating any security properties).
letting someone else generate your private key, seems legit!
Many HNers are understandably bashing this for privacy concerns. However, csr.io addresses a real problem, that generating CSR's is a pain in the neck.
Let me be the first to offer a positive suggestion: csr.io should keep doing exactly the same thing, but on the "results" page where it shows the key and CSR now, also generate and show the equivalent OpenSSL commands for someone to generate a key on their own machine. These commands should be able to be blindly copy/pasted into any Mac/Linux command prompt where OpenSSL is installed.
Sweet. Always do this so infrequently I have to go google the commands each time for the command line.
Glad you find it useful!
An info on the site itself when to use this, would be quite helpful. For example, I recently generated a self-signed SSL certificate for local development where this would have been handy. You should not use this for anything production related, of course.
While what others have said about remote private key generation is rather lapse security and could be used for malicious purposes, however for development purposes it's a neat little utility. Nice work.
A CSR is Certificate Signing Request, not a certificate, suggesting that this utility exists for the purpose of submitting a CSR to a Certificate Authority (CA). What "development purpose" could that serve? Nobody should use this, especially developers, who should know better.
Looks like Google Ads and Google Analyics are both running on the page with your private key and public key. So every key pair generated is probably stored by both of those services--forever.
Open source?
It's probably using openssl on the back end which is open source. http://www.openssl.org/
Sorry, I meant the script and site itself, not openssl itself.
or it might just be returning the same private key for everyone! who knows?