A CSR is signed by the private key corresponding to the public key in the CSR. This check verifies the signature on the CSR is valid. An invalid signature indicates that the CSR has been modified since it was created or the public key in the CSR doesn't correspond to the private key used to sign it.

This check checks if the CSR's name contains a field with no value. For example, the CSR Decoder would issue a warning about the name given below because the locality field is present, but has no value.

CN=www.acme.com, O=acme, L=, C=gb

The reason for this warning is that some CAs may reject CSRs that contain fields with empty values.

In May 2008 Luciano Bello discovered a vulnerabilty in the Debian OpenSSL package that resulted in weak keys being generated. This check checks that the key you're using isn't a key generated from a Debian based system with this vulnerability.

For a number of years now many prominent voices in the security community have suggested a move away from 1024-bit RSA key lengths by the end of 2010. In Special Publication 800-57 NIST recommends that 1024-bit RSA keys only be used to protect data until 2010. In 2003, RSA Labs published a document that recommended 1024-bit RSA keys should not be used to protect data with a lifetime beyond 2010.This check warns you if the RSA key size is less than 2048 bits

Copyright © 2004-2010 Red Kestrel Consulting Limited. All Rights Reserved.

Terms of Use | Privacy Policy | Contact Us