Csr.io - a better certificate signing request generator (opens in new tab)

(csr.io)

19 pointsJim_Neath13y ago27 comments

27 comments

If you're in a position to generate a CSR, you should know that you never, EVER, let anyone else generate or even see your private key (including the commercial CA from which you're requesting a certificate). By using an online utility like this, you give the site owner an important component needed to perform man-in-the-middle attacks. Don't do it, kids.

rgovostes13y ago

It's a nice site but allowing someone else to generate your private key isn't a good idea. The server also apparently stores the key for (at least) a day.

A safer version might instead generate the openssl(1) commands needed to generate the files on your local machine.

stfp13y ago

Nice! But really, if you want it to be useful, ship it as something people can run themselves, not as a service. BECAUSE PRIVATE KEYS.

mukyu13y ago

Letting someone else generate private keys for when you aren't even sure if they have good entropy much less might be malicious?

Smart.

mw662113y ago

An alternative would be to output an OpenSSL command using the data entered in the form that the user can run locally to generate the CSR and private keys.

This would be similar to what DigiCert's CSR generator does: https://www.digicert.com/easy-csr/openssl.htm

rdl13y ago

Wow, hats off to whoever came up with this incredibly useful and perfectly safe tool. :)

(I wonder how many private keys they'll end up with. This is a cheaper if somewhat less universal attack than compromising a CA directly.)

joeblau13y ago

Well from what I've looked at, it seems that at least four entities will receive copies of every key pair. One to csr.io, one to Google Adsesne, one to Google Analytics, and one for the user.

lucb1e13y ago

Am I the only one missing an about page? There is no info whatsoever. For example I was wondering whether the certificate would be trusted by browsers or if it's self-signed. (Well it must be self-signed, it's too easy to sign one for facebook.com now, but not everybody knows that.) Who can I contact about bugs, feature requests, etc.?

Feature request: you might want to let Javascript generate the keypair so that people stop whining about letting someone else generate the private key. Although a valid argument, this isn't going to be used in production environments anyway.... Or is it, guys?!

Feature request: Let people set the key size. Also inform people about the key size (why 4096 is probably overkill at the moment).

Bug: You don't actually mention what the tool does. It generates some sort of certificate, but people will probably be under the impression that it will work instead of spawn another one of these: http://www.page-zone.com/SSL-warning-cpanel.jpg

ceejayoz13y ago

> For example I was wondering whether the certificate would be trusted by browsers or if it's self-signed.

It's making CSRs, not certificates.

blibble13y ago

lovely interface, but the security is rendered completely pointless as the private key is generated remotely... you can't offer a secure version of this on a remote website.

lucb1e13y ago

You can. It's called Javascript and there are libraries to do public key encryption.

But yes, here you are right, the cert is generated by the server in this case.

ygjb13y ago

Until DomCrypt[1] is implemented there is no reliable way to implement a CSPRNG in Javascript (that I am aware of!). The only way to do this securely would be to supply a page that includes some javascript to process a secret key that the user provides to the page which would then generate the CSR. It would be more effective to write all of this sites functionality into a shell script.

[1] http://www.w3.org/TR/WebCryptoAPI/

1 more reply

blibble13y ago

so by doing that you're still trusting the server not to send you evil Javascript that surreptitiously posts off your private key.

it's exactly equivalent from a security perspective, unless you read every line of Javascript, in which case you might as well read the openssl manual instead and generate the CSR yourself.

(note that there's a rarely used <input> keygen type, but to sign the CSR you'd need programmatic access to the private key, again defeating any security properties).

ygjb13y ago

letting someone else generate your private key, seems legit!

tedchs13y ago

Many HNers are understandably bashing this for privacy concerns. However, csr.io addresses a real problem, that generating CSR's is a pain in the neck.

Let me be the first to offer a positive suggestion: csr.io should keep doing exactly the same thing, but on the "results" page where it shows the key and CSR now, also generate and show the equivalent OpenSSL commands for someone to generate a key on their own machine. These commands should be able to be blindly copy/pasted into any Mac/Linux command prompt where OpenSSL is installed.

caiusdurling13y ago

Sweet. Always do this so infrequently I have to go google the commands each time for the command line.

Jim_NeathOP13y ago

Glad you find it useful!

ch0wn13y ago

An info on the site itself when to use this, would be quite helpful. For example, I recently generated a self-signed SSL certificate for local development where this would have been handy. You should not use this for anything production related, of course.

jamescun13y ago

While what others have said about remote private key generation is rather lapse security and could be used for malicious purposes, however for development purposes it's a neat little utility. Nice work.

jackalope13y ago

A CSR is Certificate Signing Request, not a certificate, suggesting that this utility exists for the purpose of submitting a CSR to a Certificate Authority (CA). What "development purpose" could that serve? Nobody should use this, especially developers, who should know better.

joeblau13y ago

Looks like Google Ads and Google Analyics are both running on the page with your private key and public key. So every key pair generated is probably stored by both of those services--forever.

nphase13y ago

Open source?

joeblau13y ago

It's probably using openssl on the back end which is open source. http://www.openssl.org/

nphase13y ago

Sorry, I meant the script and site itself, not openssl itself.

blibble13y ago

or it might just be returning the same private key for everyone! who knows?

j / k navigate · click thread line to collapse

27 comments

jackalope13y ago

rgovostes13y ago

It's a nice site but allowing someone else to generate your private key isn't a good idea. The server also apparently stores the key for (at least) a day.

A safer version might instead generate the openssl(1) commands needed to generate the files on your local machine.

stfp13y ago

Nice! But really, if you want it to be useful, ship it as something people can run themselves, not as a service. BECAUSE PRIVATE KEYS.

mukyu13y ago

Letting someone else generate private keys for when you aren't even sure if they have good entropy much less might be malicious?

Smart.

mw662113y ago

An alternative would be to output an OpenSSL command using the data entered in the form that the user can run locally to generate the CSR and private keys.

This would be similar to what DigiCert's CSR generator does: https://www.digicert.com/easy-csr/openssl.htm

rdl13y ago

Wow, hats off to whoever came up with this incredibly useful and perfectly safe tool. :)

(I wonder how many private keys they'll end up with. This is a cheaper if somewhat less universal attack than compromising a CA directly.)

joeblau13y ago

Well from what I've looked at, it seems that at least four entities will receive copies of every key pair. One to csr.io, one to Google Adsesne, one to Google Analytics, and one for the user.

lucb1e13y ago

Feature request: Let people set the key size. Also inform people about the key size (why 4096 is probably overkill at the moment).

ceejayoz13y ago

> For example I was wondering whether the certificate would be trusted by browsers or if it's self-signed.

It's making CSRs, not certificates.

blibble13y ago

lovely interface, but the security is rendered completely pointless as the private key is generated remotely... you can't offer a secure version of this on a remote website.

lucb1e13y ago

You can. It's called Javascript and there are libraries to do public key encryption.

But yes, here you are right, the cert is generated by the server in this case.

ygjb13y ago

[1] http://www.w3.org/TR/WebCryptoAPI/

1 more reply

blibble13y ago

so by doing that you're still trusting the server not to send you evil Javascript that surreptitiously posts off your private key.

it's exactly equivalent from a security perspective, unless you read every line of Javascript, in which case you might as well read the openssl manual instead and generate the CSR yourself.

(note that there's a rarely used <input> keygen type, but to sign the CSR you'd need programmatic access to the private key, again defeating any security properties).

ygjb13y ago

letting someone else generate your private key, seems legit!

tedchs13y ago

Many HNers are understandably bashing this for privacy concerns. However, csr.io addresses a real problem, that generating CSR's is a pain in the neck.

caiusdurling13y ago

Sweet. Always do this so infrequently I have to go google the commands each time for the command line.

Jim_NeathOP13y ago

Glad you find it useful!

ch0wn13y ago

jamescun13y ago

jackalope13y ago

joeblau13y ago

Looks like Google Ads and Google Analyics are both running on the page with your private key and public key. So every key pair generated is probably stored by both of those services--forever.

nphase13y ago

Open source?

joeblau13y ago

It's probably using openssl on the back end which is open source. http://www.openssl.org/

nphase13y ago

Sorry, I meant the script and site itself, not openssl itself.

blibble13y ago

or it might just be returning the same private key for everyone! who knows?

j / k navigate · click thread line to collapse