Hello Dave, Please see inline.
Assuming by “get it signed” you mean signing the CSR, not getting a cert issued from the CSR which many people wrongly think is “signing the CSR”: yes OpenSSL has APIs for both X509 (cert) and X509_REQ. [Kamalraj] If you don’t mind, can you share those APIs You can read in a cert (PEM or DER), extract fields/extensions from it as desired and put them in a “req” along with a new subject-public-key, and sign with the corresponding (new) private-key. [Kamalraj] the public key must be generated from the new private key right? And write that out and send it to a CA, and prove to them you are authorized to act for/as that subject name(s). But you can’t copy anywhere near “all” fields/extensions. It looks to me like the only ones you need are Subject(name) and if used SubjectAlternativeNames. You want to replace subjectkey, and if used SKI. A CSR cannot specify Issuer, serial, validity, and a CA can’t let you specify AKI, CRL/OCSP access, Authority access, policies etc.You might be able to request KU or EKU, but I think most CAs will hardcode them. [Kamalraj] If I use my local CA, then it is possible to ask this CA to use those all extensions while signing the new certificate right? You might even be able to do this without an actual program by scripting commandline x509 plus some parsing and req, but I would worry that was fragile. Note that there is a -x509toreq option on x509 but it doesn’t do what you want: it copies the subject name and the (old) subject pubkey – and no extensions. [Kamalraj] I had plans to use the command line options. Now, as per your input I will go ahead and create a binary that will use those APIs to create a new CSR and sign using local CA. Thanks Kamalraj On Fri, Oct 4, 2013 at 4:02 AM, Dave Thompson <dthomp...@prinpay.com> wrote: > Assuming by “get it signed” you mean signing the CSR, not getting a cert > issued **** > > from the CSR which many people wrongly think is “signing the CSR”:**** > > ** ** > > yes OpenSSL has APIs for both X509 (cert) and X509_REQ. **** > > You can read in a cert (PEM or DER), extract fields/extensions from it as > desired **** > > and put them in a “req” along with a new subject-public-key, and sign with > the **** > > corresponding (new) private-key. And write that out and send it to a CA, > and **** > > prove to them you are authorized to act for/as that subject name(s).**** > > ** ** > > But you can’t copy anywhere near “all” fields/extensions. It looks to me > like **** > > the only ones you need are Subject(name) and if used > SubjectAlternativeNames.**** > > You want to replace subjectkey, and if used SKI. A CSR cannot specify > Issuer, serial, validity,**** > > and a CA can’t let you specify AKI, CRL/OCSP access, Authority access, > policies etc.**** > > You might be able to request KU or EKU, but I think most CAs will hardcode > them.**** > > ** ** > > You might even be able to do this without an actual program by scripting > commandline **** > > x509 plus some parsing and req, but I would worry that was fragile. Note > that there is a **** > > -x509toreq option on x509 but it doesn’t do what you want: it copies the > subject name **** > > and the (old) subject pubkey – and no extensions.**** > > ** ** > > ** ** > > *From:* owner-openssl-us...@openssl.org [ > mailto:owner-openssl-us...@openssl.org <owner-openssl-us...@openssl.org>] > *On Behalf Of *Kamalraj Madhurakasan > *Sent:* Thursday, October 03, 2013 04:15 > *To:* openssl-users@openssl.org > *Subject:* *** Spam *** CSR from old certificate and signing it using new > private key**** > > ** ** > > Hi,**** > > ** ** > > Is it possible to generate a new CSR from old certificate and combine it > with the newly generated private key and get it it signed?**** > > ** ** > > The use case is, we get the certificates from customers to troubeshoot > their issues. As they will not provide the private key, we need to open and > check the certificate and create our new CSR with all the fields manually. > If it is possible to copy all the fields from customer's certificate and > sign it using our private key that would be easy for us.**** > > ** ** > > Thanks**** > > Kamalraj**** >
