If you don't have the webserver's private key, chances are good that you either don't own the webserver you want a certificate for (which is the entire reason why CSRs are signed by the private key, proof-of-possession) or you can't get the key-owner to generate a CSR for you, which suggests that they don't want you to have a CSR for that key.
However, I seem to recall this thread: someone needed to change the FQDNs that were in the CSRs they had, because their private keys were in some embedded device and the embedded device refused to include the FQDN of the host, rather only the hostname, in the CSRs it generated. I can't find any answer to this issue, other than what David suggested; it's going to take a source hack, I'm afraid. (as he says: look at the file ca.c, and look for how it signs input requests. If you can find a way to put the structure in memory, then edit the DN so that it includes the CN=host.fully.qualified.domain.name, and then sign it, you can do it.) -Kyle H On Thu, Jun 25, 2009 at 10:20 AM, Christoph Weber-Fahr<cwf...@arcor.de> wrote: > Hello, > > a week ago I already sent this question - but apparently got no > response. My problem is still unsolved. > > Yes, it maybe a newbie question - but could someone at least provide > some pointers or explain what about the question should be stated > differently? > > Basically, I need to create a web server certificxate, but I > don't have the web server private key, nor do I have a usable CSR. > > > -------- Original Message -------- > Subject: how can I sign a public key? > Date: Thu, 18 Jun 2009 22:46:17 +0200 > From: Christoph Weber-Fahr <cwf...@arcor.de> > > Hello, > > Apparently I can't find a way to create an X.509 Web Server certificate > for a given public key with openssl. > > I have a CSR with bad data, but I don't have the private key it has > been signed with. I need a certificate, signed by my own local CA > key, containing corrected data. > > So - is there a way to accomplish one of those > > - change the data in a csr before signing it with openssl x509 ? > - generate an unsigned csr with openssl req for a given public key ? > - sign a given public key with openssl x509 ? > > Any of those would solve my problem. > > Background - I have a bunch of embedded boxes that only export a > csr and accept a certificate. But they are broken - they do not > include the domain in the CN, so any access with fqdn creates > an error. > > Any idea how to tackle this? > > Regards, and TIA for any suggestion, > > Christoph Weber-Fahr > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
