Hi Martin: On January 5, 2010 02:05:48 pm David Schwartz wrote: > > Hello everybody, > > > > I have a question: A client system generates a CSR that contains some > > pieces of information and sends the CSR to my CA. What I want to do is > > NOT to directly sign the CSR / issue the Certificate but first to > > modify or add new pieces of information and then issue the > > certificate. Can this be done and if yes: how? Thank you! > > It's not only possible, it's the only thing you can do. You can't sign the > CSR because it's already signed. What you do, and must do, is create a > certificate which you sign. You can, if you want to, copy fields out of the > CSR. The CSR serves three purposes: > > 1) It tells you the public key that you must embed in the certificate. > > 2) It provides you some (completely unverified) information about the > entity requesting the certificate that you can copy into the certificate if > you want, or not. > > 3) It provides cryptographic proof that the information provided in part 2 > was provided by someone who knows the secret key corresponding to the > public key in part 1. > > That's it. You do not sign the CSR. The requestor signs it. You create a > brand new certificate which you then sign.
To answer your ACTUAL question (Sorry David:): when you are using the openssl CA (strangely enough: openssl ca) command, you can give it numerous options, including which Subject value to use (the -subj argument), and which extensions to use (via the -extfile and -extensions arguments). so you can set both which extensions you want and which Subject you want (causing both values in the CSR to be completely ignored) by a command like: openssl ca -config /etc/myca/openssl.cnf -extfile /etc/myca/openssl-exts.cnf - extension sig-medium -subj "/C=CA/O=Example Company/OU=Engineering/CN=John Doe" -in req.csr -out john-doe.pem Where: /etc/myca/openssl-ext.cnf contains: [ sig-medium ] basicConstraints = CA:FALSE keyUsage = critical, digitalSignature extendedKeyUsage = emailProtection, anyExtendedKeyUsage nsComment = "Do Not trust - PURE TEST purposes only" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer subjectAltName = @testsan authorityInfoAccess = @aia_points crlDistributionPoints = @crl_dist_points [ testsan ] email = testu...@example.com DNS = www.example.com dirName = test_dir URI = http://www.example.com/ IP = 172.16.0.1 otherName.0 = 1.3.6.1.4.1.311.20.2.3;UTF8:t...@kerberose-domain.internal otherName.1 = 1.3.6.1.5.5.7.8.7;IA5STRING:_mail.example.com otherName.2 = 1.3.6.1.5.5.7.8.5;UTF8:testu...@im.example.com [aia_points] caIssuers;URI.0=http://www.example.com/caops/Signing-CA.p7c caIssuers;URI.1=ldap://dir.example.com/<DN of Signing CA>?cACertificate;binary?base?objectclass=pkiCA [crl_dist_points] URI.0=http://www.example.com/caops/test-signca1-crl.crl URI.1=ldap://dir.example.com/<DN of Signing CA>?certificateRevocationList;binary?base?objectclass=pkiCA Have fun. -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
