Hi, A quick question here. Should the Certificate Signing Request message be protected when requesting for Certificate from CA? If I am sending a PKCS10 request to a remote CA, there could be a possibility that an attacker might intercept the request, replace the Public Key and Signature fields with his own (correct) values and just leave the subject field as-is. The issued certificate would then contain the subject name of the original client but the public key of the attacker. In such a case, would it be the responsibility of the client to check and make sure the public key on the issued certificate matches his own public key?
Thanks, Sandeep
