Thanks, Dw.
Interesting. I think I misunderstood this explanation about the -signkey <file>
option: "This option causes the input file to be self signed using the supplied
private key."
Your input has me thinking that a certificate signing request is in fact
self-signed like a self-signed certificate is self-signed. I think I mistakenly
supposed any self-signing meant acting like a "mini CA". I shall give those two
x509 options, '-x509toreq' and '-signkey', a try.
Douglas Morris
On Thursday, January 30, 2020, 3:51:45 PM EST, Dirk-Willem van Gulik
<[email protected]> wrote:
On 30 Jan 2020, at 21:38, Douglas Morris via openssl-users
<[email protected]> wrote:
I am trying to implement automated domain certificate renewal. A certificate
signing request is sent to an ACME server and on success a certificate is
returned. I'd like to be able to call OpenSSL to make a new key and then make a
new certificate signing request just like the old one except for the
replacement key pair file.
I suppose the complete information beyond the new key data is available both in
the old crs and the old certificate. I'm looking at the manpages of OpenSSL
subcommands 'req' and 'x509'. The openssl x509 option '-x509toreq' gave me a
momentary rush of hope, but then I read about the '-signkey' option, which
seems to be exclusively about self-signing.
Is 'cloning' the csr or cert. information semantically logical? Is it possible
with OpenSSL?
If I can't reliably extract the relevant data from the old csr or old
certification, I suppose I must do it as usual with a dedicated config file and
the '-batch' option: openssl req -key <key> -new -config <config.ini>
-outform PEM -out <outfile> -batch
openssl x509 -x509toreq should do the trick
E.g.
# generate test cert openssl req -x509 -new -subj /CN=foo -nodes -keyout
x.key > x.crt openssl x509 -in x.crt -noout -text
# turn test cert in a request openssl x509 -x509toreq -signkey x.key < x.crt
Dw
