On Thursday, 11 May 2023 21:14:46 CEST, Viktor Dukhovni wrote:
On Thu, May 11, 2023 at 03:09:31PM -0400, Robert Moskowitz wrote:
...
Oh!!!!
I did not get, at first what you said.
SNEAKY!
Make a 'regular' root self-signed.
use this to sign a cert that I control, that is basically self-signed. ...
I used to this routinely at a former $work, when building root CAs for
internal issuance. Indeed first generate a CA key + temp self-signed
cert, then ca(1) to issue a replacement self-signed cert, but with ca(1)
handling all the bells and whistles to decorate it additional properties
that req(1) does not directly support.
I don't have the scripts for that handy (they belong to the employer
after all), but they're simple enough.
I do have public scripts that do that:
https://github.com/redhat-qe-security/certgen/tree/master/certgen
Though note that this library is aimed at creating test certificates, not
production certificates, so it doesn't work with CSR files but rather
expects the CA to generate the keys and certificates.
--
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
