On Thu, May 11, 2023 at 03:09:31PM -0400, Robert Moskowitz wrote:
> > You can bootstrap the CA from a self-signed certificate with the same
> > issuer/subject name and key that is then replaced.
> >
> Oh!!!!
>
> I did not get, at first what you said.
>
> SNEAKY!
>
> Make a 'regular' root self-signed.
>
> use this to sign a cert that I control, that is basically self-signed.
>
> That becomes the REAL CA root cert.
>
> Oh, neat hack.
I used to this routinely at a former $work, when building root CAs for
internal issuance. Indeed first generate a CA key + temp self-signed
cert, then ca(1) to issue a replacement self-signed cert, but with ca(1)
handling all the bells and whistles to decorate it additional properties
that req(1) does not directly support.
I don't have the scripts for that handy (they belong to the employer
after all), but they're simple enough.
--
Viktor.
