我们可以使用相同的CSR为不同的公司创建证书吗?

时间:2021-08-08 16:48:55

I have a quick question. I develop iOS apps for multiple clients. Each client has their own Apple accounts and I create certificates for them from my machine. My question here is can I use the same CSR file to create certificates for different companies? Thanks.

我有一个快速的问题。我为多个客户开发iOS应用程序。每个客户都有自己的Apple帐户,我从我的机器为他们创建证书。我的问题是,我可以使用相同的CSR文件为不同的公司创建证书吗?谢谢。

1 个解决方案

#1


18  

Yes, technically you can use the same Certificate Signing Request to create multiple certificates for multiple companies, clearly the certificate request must be uploaded from the right developer account.

是的,从技术上讲,您可以使用相同的证书签名请求为多个公司创建多个证书,显然证书请求必须从正确的开发人员帐户上传。

The CSR contains in fact the requester public key that will be used by the CA (in this case Apple) to create the requested certificate. You can see its content by using the openssl command:

CSR实际上包含将由CA(在本例中为Apple)用于创建所请求证书的请求者公钥。您可以使用openssl命令查看其内容:

openssl req -text -noout -verify -in CertificateSigningRequest.certSigningRequest 

But as a user correctly noted in a comment, all your certificates will be tied to the same private key (a public/private key pair is in fact regenerated each time you create a CSR) and this could lead to a reduced security if the machine requesting the certificate gets compromised. Some services require a unique CSR for each certificate generation but at the moment this is not enforced by Apple which allows the same CSR to be reused. This CSR separation is especially useful for the creation of the distribution certificates and the APNS production certificates.

但是,正如用户在评论中正确指出的那样,所有证书都将绑定到同一个私钥(每次创建CSR时,公钥/私钥对实际上都会重新生成),这可能会导致机器的安全性降低请求证书受到损害。某些服务需要为每个证书生成一个唯一的CSR,但目前Apple没有强制执行此操作,允许重复使用相同的CSR。此CSR分离对于创建分发证书和APNS生产证书特别有用。

#1


18  

Yes, technically you can use the same Certificate Signing Request to create multiple certificates for multiple companies, clearly the certificate request must be uploaded from the right developer account.

是的,从技术上讲,您可以使用相同的证书签名请求为多个公司创建多个证书,显然证书请求必须从正确的开发人员帐户上传。

The CSR contains in fact the requester public key that will be used by the CA (in this case Apple) to create the requested certificate. You can see its content by using the openssl command:

CSR实际上包含将由CA(在本例中为Apple)用于创建所请求证书的请求者公钥。您可以使用openssl命令查看其内容:

openssl req -text -noout -verify -in CertificateSigningRequest.certSigningRequest 

But as a user correctly noted in a comment, all your certificates will be tied to the same private key (a public/private key pair is in fact regenerated each time you create a CSR) and this could lead to a reduced security if the machine requesting the certificate gets compromised. Some services require a unique CSR for each certificate generation but at the moment this is not enforced by Apple which allows the same CSR to be reused. This CSR separation is especially useful for the creation of the distribution certificates and the APNS production certificates.

但是,正如用户在评论中正确指出的那样,所有证书都将绑定到同一个私钥(每次创建CSR时,公钥/私钥对实际上都会重新生成),这可能会导致机器的安全性降低请求证书受到损害。某些服务需要为每个证书生成一个唯一的CSR,但目前Apple没有强制执行此操作,允许重复使用相同的CSR。此CSR分离对于创建分发证书和APNS生产证书特别有用。