Re: Cloning a CSR or Cert. for a new CSR with a new key?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 30 Jan 2020, at 21:38, Douglas Morris via openssl-users <openssl-users@xxxxxxxxxxx> wrote:

I am trying to implement automated domain certificate renewal. A certificate signing request is sent to an ACME server and on success a certificate is returned. I'd like to be able to call OpenSSL to make a new key and then make a new certificate signing request just like the old one except for the replacement key pair file.

I suppose the complete information beyond the new key data is available both in the old crs and the old certificate. I'm looking at the manpages of OpenSSL subcommands 'req' and 'x509'. The openssl x509 option '-x509toreq' gave me a momentary rush of hope, but then I read about the '-signkey' option, which seems to be exclusively about self-signing.

Is 'cloning' the csr or cert. information semantically logical? Is it possible with OpenSSL?

If I can't reliably extract the relevant data from the old csr or old certification, I suppose I must do it as usual with a dedicated config file and the '-batch' option:
     openssl req -key <key> -new -config <config.ini> -outform PEM -out <outfile> -batch

openssl x509 -x509toreq should do the trick

E.g.

# generate test cert
openssl req -x509 -new -subj /CN=foo -nodes -keyout x.key > x.crt
openssl x509 -in x.crt -noout -text

# turn test cert in a request
openssl x509 -x509toreq -signkey x.key < x.crt

Dw


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux