Reputation: 73
Openssl creating a certificate from a CSR (No Private Key - Stored in another System)
I need to create a certificate based on a CSR generated by a third party I have no access to the private key. The certificate generated needs to have
keyUsage = keyCertSign as a minimum as part of the certificate.
C:/OpenSSL-Win32/bin/openssl.exe req -in C:/xampp/htdocs/certs/test.csr -out test.cer -config C:/xampp/htdocs/command.cnf
Which of course didn't work.
Is this possible? If not can certreq be used instead? The PKI servers we are using are Microsoft Based.
Upvotes: 4
Views: 10383
Answers (2)
Reputation: 6961
Given a certificate (ca-cert.pem) and its private key (ca-key.pem), use OpenSSL to sign a provided CSR (csr.pem) and generate a certificate for it (cert.pem) -
openssl x509 -req -in csr.pem -out cert.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -days 365 -sha256
Meaning of options -
- -CAcreateserial - serial number would be randomly generated for the certificate (and increased in future activations).
- -days 365 - certificate would have a validity of 365 days.
- -sha256 - certificate would use SHA256 as its signature algorithm (which is the default).
To generate such a certificate with "certificate signing" key usage (and also a CA basic constraint, which you probably need), create a configuration file (config.txt) -
[extensions]
keyUsage = keyCertSign
basicConstraints = CA:TRUE
And provide it to OpenSSL as well (pointing to the "extensions" section) -
openssl x509 -req -in csr.pem -out cert.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -days 365 -sha256 -extfile config.txt -extensions extensions
Examine the resulting certificate -
openssl x509 -in cert.pem -noout -text
It has -
X509v3 extensions:
X509v3 Key Usage:
Certificate Sign
X509v3 Basic Constraints:
CA:TRUE
For completeness, here is how to create the "provided" CA key, CA self-sign certificate, subject key and CSR (here using RSA keys, EC keys can be used identically) -
CA key -
openssl genpkey -algorithm RSA -out ca-key.pem -pkeyopt rsa_keygen_bits:2048
CA self-signed certificate -
openssl req -key ca-key.pem -new -x509 -days 365 -out ca-cert.pem -sha256 -subj /CN=CACert
Subject key -
openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048
CSR for subject key -
openssl req -new -key key.pem -out csr.pem -sha256 -subj /CN=SubjectCert
Upvotes: 6
Reputation: 14148
If you have access to the private key, you can create a self signed certificate. Depending on your situation you may have problems with the certificate being trusted.
If you don't, then need setup a CA. If you setup a CA (not that hard) then your problem is that you need to get the CA public key installed into the trusted CA list of all the machines and devices that connects to the server that gives back the certificate you generated. This is the reason you pay for a "trusted" CA signed certificate as it's there problem to get there root CA certificate installed on as many machines and devices as they can, and also to keep the root CA certificates up to date.
Upvotes: 0
Related Questions
- How to create a self-signed code signing certificate from a CSR?
- openssl CSR generation gives Expecting: CERTIFICATE REQUEST
- How can I create a Certificate Signing Request (CSR) from an existing public key of a key pair (assuming the private key is in a safe spot elsewhere)?
- openssl create certificate and key
- How to generate csr by giving public key file as input?
- Creating certificate with certreq tool where I have csr generated using openssl
- Generate CSR from existing certificate
- using openssl creating csr for localhost
- How is public key obtained when creating new CSR with openssl using only private key?
- PHP Creating CSR using existing private key