Assuming by "get it signed" you mean signing the CSR, not getting a cert issued
from the CSR which many people wrongly think is "signing the CSR": yes OpenSSL has APIs for both X509 (cert) and X509_REQ. You can read in a cert (PEM or DER), extract fields/extensions from it as desired and put them in a "req" along with a new subject-public-key, and sign with the corresponding (new) private-key. And write that out and send it to a CA, and prove to them you are authorized to act for/as that subject name(s). But you can't copy anywhere near "all" fields/extensions. It looks to me like the only ones you need are Subject(name) and if used SubjectAlternativeNames. You want to replace subjectkey, and if used SKI. A CSR cannot specify Issuer, serial, validity, and a CA can't let you specify AKI, CRL/OCSP access, Authority access, policies etc. You might be able to request KU or EKU, but I think most CAs will hardcode them. You might even be able to do this without an actual program by scripting commandline x509 plus some parsing and req, but I would worry that was fragile. Note that there is a -x509toreq option on x509 but it doesn't do what you want: it copies the subject name and the (old) subject pubkey - and no extensions. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Kamalraj Madhurakasan Sent: Thursday, October 03, 2013 04:15 To: openssl-users@openssl.org Subject: *** Spam *** CSR from old certificate and signing it using new private key Hi, Is it possible to generate a new CSR from old certificate and combine it with the newly generated private key and get it it signed? The use case is, we get the certificates from customers to troubeshoot their issues. As they will not provide the private key, we need to open and check the certificate and create our new CSR with all the fields manually. If it is possible to copy all the fields from customer's certificate and sign it using our private key that would be easy for us. Thanks Kamalraj
