> Hello everybody, > > I have a question: A client system generates a CSR that contains some > pieces of information and sends the CSR to my CA. What I want to do is > NOT to directly sign the CSR / issue the Certificate but first to > modify or add new pieces of information and then issue the > certificate. Can this be done and if yes: how? Thank you!
It's not only possible, it's the only thing you can do. You can't sign the CSR because it's already signed. What you do, and must do, is create a certificate which you sign. You can, if you want to, copy fields out of the CSR. The CSR serves three purposes: 1) It tells you the public key that you must embed in the certificate. 2) It provides you some (completely unverified) information about the entity requesting the certificate that you can copy into the certificate if you want, or not. 3) It provides cryptographic proof that the information provided in part 2 was provided by someone who knows the secret key corresponding to the public key in part 1. That's it. You do not sign the CSR. The requestor signs it. You create a brand new certificate which you then sign. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
