On 5/11/23 12:36, Viktor Dukhovni wrote:
On Thu, May 11, 2023 at 12:06:24PM -0400, Robert Moskowitz wrote:
So for now, I would have to break this into 1st using req to make a CSR,
then feeding that somehow into ca to actually make the cert. I do it in
this two-step for sub certs (intermediate CA and EE certs). Don't know
quite how to get this working for the root self-signed cert to get the
tree started.
The CA can issue its first certificate as self-signed certificate for
its own key, and then that becomes the actual CA certificate for issuing
the rest.
You can bootstrap the CA from a self-signed certificate with the same
issuer/subject name and key that is then replaced.
Oh!!!!
I did not get, at first what you said.
SNEAKY!
Make a 'regular' root self-signed.
use this to sign a cert that I control, that is basically self-signed.
That becomes the REAL CA root cert.
Oh, neat hack.
