I'm in the process of switching certificate authorities and I have a bit of a question regarding the certificate signing request (CSR). Is it possible to generate a CSR from a certificate that's already installed on my device, or should I just create a completely new certificate and CSR from the appliance to match the new CA?
3 Answers
You can definitely generate a CSR from an existing private key, but it's generally recommended to create a new private key when you get a new certificate. This helps with security and ensures best practices.
If you're sticking with the same private key, you can reuse your existing CSR. But if you're going to generate a new cert, you might as well generate a new key pair, especially if the CA has specific requirements on key size or security.
The CSR itself isn't tied to any specific CA. It simply contains a public key generated from your private key, which you keep secret. While some people suggest creating a new private key for every request, you can use the same private key as long as it still works with the CSR.
I totally agree, especially since using a new key makes it more secure.