Cloning a CSR or Cert. for a new CSR with a new key?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Cloning a CSR or Cert. for a new CSR with a new key?

OpenSSL - User mailing list
I am trying to implement automated domain certificate renewal. A certificate signing request is sent to an ACME server and on success a certificate is returned. I'd like to be able to call OpenSSL to make a new key and then make a new certificate signing request just like the old one except for the replacement key pair file.

I suppose the complete information beyond the new key data is available both in the old crs and the old certificate. I'm looking at the manpages of OpenSSL subcommands 'req' and 'x509'. The openssl x509 option '-x509toreq' gave me a momentary rush of hope, but then I read about the '-signkey' option, which seems to be exclusively about self-signing.

Is 'cloning' the csr or cert. information semantically logical? Is it possible with OpenSSL?

If I can't reliably extract the relevant data from the old csr or old certification, I suppose I must do it as usual with a dedicated config file and the '-batch' option:
     openssl req -key <key> -new -config <config.ini> -outform PEM -out <outfile> -batch

Any do's or don't on managing the input data of a signing request for automatic renewal (non-interactive execution)? I'm trying to minimize the file management requirements without losing generality.

Douglas Morris
Reply | Threaded
Open this post in threaded view
|

Re: Cloning a CSR or Cert. for a new CSR with a new key?

Dirk-Willem van Gulik


On 30 Jan 2020, at 21:38, Douglas Morris via openssl-users <[hidden email]> wrote:

I am trying to implement automated domain certificate renewal. A certificate signing request is sent to an ACME server and on success a certificate is returned. I'd like to be able to call OpenSSL to make a new key and then make a new certificate signing request just like the old one except for the replacement key pair file.

I suppose the complete information beyond the new key data is available both in the old crs and the old certificate. I'm looking at the manpages of OpenSSL subcommands 'req' and 'x509'. The openssl x509 option '-x509toreq' gave me a momentary rush of hope, but then I read about the '-signkey' option, which seems to be exclusively about self-signing.

Is 'cloning' the csr or cert. information semantically logical? Is it possible with OpenSSL?

If I can't reliably extract the relevant data from the old csr or old certification, I suppose I must do it as usual with a dedicated config file and the '-batch' option:
     openssl req -key <key> -new -config <config.ini> -outform PEM -out <outfile> -batch

openssl x509 -x509toreq should do the trick

E.g.

# generate test cert
openssl req -x509 -new -subj /CN=foo -nodes -keyout x.key > x.crt
openssl x509 -in x.crt -noout -text

# turn test cert in a request
openssl x509 -x509toreq -signkey x.key < x.crt

Dw

Reply | Threaded
Open this post in threaded view
|

Re: Cloning a CSR or Cert. for a new CSR with a new key?

OpenSSL - User mailing list
Thanks, Dw.

Interesting. I think I misunderstood this explanation about the -signkey <file> option: "This option causes the input file to be self signed using the supplied private key."

Your input has me thinking that a certificate signing request is in fact self-signed like a self-signed certificate is self-signed. I think I mistakenly supposed any self-signing meant acting like a "mini CA". I shall give those two x509 options, '-x509toreq' and '-signkey', a try.

Douglas Morris


On Thursday, January 30, 2020, 3:51:45 PM EST, Dirk-Willem van Gulik <[hidden email]> wrote:




On 30 Jan 2020, at 21:38, Douglas Morris via openssl-users <[hidden email]> wrote:

I am trying to implement automated domain certificate renewal. A certificate signing request is sent to an ACME server and on success a certificate is returned. I'd like to be able to call OpenSSL to make a new key and then make a new certificate signing request just like the old one except for the replacement key pair file.

I suppose the complete information beyond the new key data is available both in the old crs and the old certificate. I'm looking at the manpages of OpenSSL subcommands 'req' and 'x509'. The openssl x509 option '-x509toreq' gave me a momentary rush of hope, but then I read about the '-signkey' option, which seems to be exclusively about self-signing.

Is 'cloning' the csr or cert. information semantically logical? Is it possible with OpenSSL?

If I can't reliably extract the relevant data from the old csr or old certification, I suppose I must do it as usual with a dedicated config file and the '-batch' option:
     openssl req -key <key> -new -config <config.ini> -outform PEM -out <outfile> -batch

openssl x509 -x509toreq should do the trick

E.g.

# generate test cert
openssl req -x509 -new -subj /CN=foo -nodes -keyout x.key > x.crt
openssl x509 -in x.crt -noout -text

# turn test cert in a request
openssl x509 -x509toreq -signkey x.key < x.crt

Dw

Reply | Threaded
Open this post in threaded view
|

Re: Cloning a CSR or Cert. for a new CSR with a new key?

Kyle Hamilton
A CSR is self-signed to provide what's called "proof of possession" -- that is, proof that the requester possesses the private key to the claimed public key.  It doesn't act as a CA in that case, because the CSR is not an actual Certificate structure.

-Kyle H

On Thu, Jan 30, 2020, 18:26 Douglas Morris via openssl-users <[hidden email]> wrote:
Thanks, Dw.

Interesting. I think I misunderstood this explanation about the -signkey <file> option: "This option causes the input file to be self signed using the supplied private key."

Your input has me thinking that a certificate signing request is in fact self-signed like a self-signed certificate is self-signed. I think I mistakenly supposed any self-signing meant acting like a "mini CA". I shall give those two x509 options, '-x509toreq' and '-signkey', a try.

Douglas Morris


On Thursday, January 30, 2020, 3:51:45 PM EST, Dirk-Willem van Gulik <[hidden email]> wrote:




On 30 Jan 2020, at 21:38, Douglas Morris via openssl-users <[hidden email]> wrote:

I am trying to implement automated domain certificate renewal. A certificate signing request is sent to an ACME server and on success a certificate is returned. I'd like to be able to call OpenSSL to make a new key and then make a new certificate signing request just like the old one except for the replacement key pair file.

I suppose the complete information beyond the new key data is available both in the old crs and the old certificate. I'm looking at the manpages of OpenSSL subcommands 'req' and 'x509'. The openssl x509 option '-x509toreq' gave me a momentary rush of hope, but then I read about the '-signkey' option, which seems to be exclusively about self-signing.

Is 'cloning' the csr or cert. information semantically logical? Is it possible with OpenSSL?

If I can't reliably extract the relevant data from the old csr or old certification, I suppose I must do it as usual with a dedicated config file and the '-batch' option:
     openssl req -key <key> -new -config <config.ini> -outform PEM -out <outfile> -batch

openssl x509 -x509toreq should do the trick

E.g.

# generate test cert
openssl req -x509 -new -subj /CN=foo -nodes -keyout x.key > x.crt
openssl x509 -in x.crt -noout -text

# turn test cert in a request
openssl x509 -x509toreq -signkey x.key < x.crt

Dw

Reply | Threaded
Open this post in threaded view
|

Re: Cloning a CSR or Cert. for a new CSR with a new key?

Dirk-Willem van Gulik
In reply to this post by OpenSSL - User mailing list

On 31 Jan 2020, at 01:25, Douglas Morris <[hidden email]> wrote:

Interesting. I think I misunderstood this explanation about the -signkey <file> option: "This option causes the input file to be self signed using the supplied private key."

Your input has me thinking that a certificate signing request is in fact self-signed like a self-signed certificate is self-signed. I think I mistakenly supposed any self-signing meant acting like a "mini CA". I shall give those two x509 options, '-x509toreq' and '-signkey', a try.

Correct - a CSR is generally signed by the party submitting it - thus proving that he or she has access to their own private key.

Dw.
Reply | Threaded
Open this post in threaded view
|

Re: Cloning a CSR or Cert. for a new CSR with a new key?

OpenSSL - User mailing list
Thanks everyone for the replies and the community support. I don't think I got across what I am trying to do. I have experimented with subcommands req and x509. The openssl x509 -in <cert> -x509toreq -signkey <alt-key-file> does *NOT* do what I want (I'm pretty sure).

openssl x509 -x509toreq may sign a certificate signing request (csr) with a different key, but (as far as I can tell via the -text output) it does not change the public key documented (does not change the RSA Public key modulus) in the output request to match the private signature file.  The -text output from the input and output csr's are identical. Neither do I see how a request (csr) could be provided to the subcommand x509 -x509toreq or to subcommand req to alter an existing csr to have a new domain authentication key (the documented public key). The req subcommand seems completely irrelevant to what I'd like to do. Is this an unusual use case?

I believe I will have to use a config file via the -config <file> option to support the creation of a new request with a new domain authentication key. Do I want to change my architecture to support that? No, cause it's working well from the given crs file, but I want domain key rollover on automatic renewal. If I must create a new csr from scratch to support domain key replacement, the csr is not a viable starting point, and neither is the certificate file from the CA. Is there a flaw in my logic?

Douglas Morris


On Friday, January 31, 2020, 4:42:21 AM EST, Dirk-Willem van Gulik <[hidden email]> wrote:



On 31 Jan 2020, at 01:25, Douglas Morris <[hidden email]> wrote:

Interesting. I think I misunderstood this explanation about the -signkey <file> option: "This option causes the input file to be self signed using the supplied private key."

Your input has me thinking that a certificate signing request is in fact self-signed like a self-signed certificate is self-signed. I think I mistakenly supposed any self-signing meant acting like a "mini CA". I shall give those two x509 options, '-x509toreq' and '-signkey', a try.

Correct - a CSR is generally signed by the party submitting it - thus proving that he or she has access to their own private key.

Dw.