A CSR is self-signed to provide what's called "proof of possession" -- that is, proof that the requester possesses the private key to the claimed public key. It doesn't act as a CA in that case, because the CSR is not an actual Certificate structure.
-Kyle H On Thu, Jan 30, 2020, 18:26 Douglas Morris via openssl-users < openssl-users@openssl.org> wrote: > Thanks, Dw. > > Interesting. I think I misunderstood this explanation about the -signkey > <file> option: "This option causes the input file to be self signed using > the supplied private key." > > Your input has me thinking that a certificate signing request is in fact > self-signed like a self-signed certificate is self-signed. I think I > mistakenly supposed any self-signing meant acting like a "mini CA". I shall > give those two x509 options, '-x509toreq' and '-signkey', a try. > > Douglas Morris > > > On Thursday, January 30, 2020, 3:51:45 PM EST, Dirk-Willem van Gulik < > di...@webweaving.org> wrote: > > > > > On 30 Jan 2020, at 21:38, Douglas Morris via openssl-users < > openssl-users@openssl.org> wrote: > > I am trying to implement automated domain certificate renewal. A > certificate signing request is sent to an ACME server and on success a > certificate is returned. I'd like to be able to call OpenSSL to make a new > key and then make a new certificate signing request just like the old one > except for the replacement key pair file. > > I suppose the complete information beyond the new key data is available > both in the old crs and the old certificate. I'm looking at the manpages of > OpenSSL subcommands 'req' and 'x509'. The openssl x509 option '-x509toreq' > gave me a momentary rush of hope, but then I read about the '-signkey' > option, which seems to be exclusively about self-signing. > > Is 'cloning' the csr or cert. information semantically logical? Is it > possible with OpenSSL? > > If I can't reliably extract the relevant data from the old csr or old > certification, I suppose I must do it as usual with a dedicated config file > and the '-batch' option: > openssl req -key <key> -new -config <config.ini> -outform PEM -out > <outfile> -batch > > > openssl x509 -x509toreq should do the trick > > E.g. > > # generate test cert > openssl req -x509 -new -subj /CN=foo -nodes -keyout x.key > x.crt > openssl x509 -in x.crt -noout -text > > # turn test cert in a request > openssl x509 -x509toreq -signkey x.key < x.crt > > Dw > >
