On Sat, Jul 07, 2012, pro...@secure-mail.biz wrote: > Hello, > > is it possible to sign a foreign SSL public key without having CSR/private > key? > > Background: > Because the public root CA's failed at least twice (DigiNotar, Comodo), I'd > like to pin a SSL certificate from a website I have no control over. > (Therefore I no access the the private key and can subsequently also not > create a CSR.) Pin the SSL cert by using a local self signed CA. >
I'm not sure if this will help but for testing purposes I needed to generate some certificates using DH keys. Since you can't sign with DH you can't create a CSR directly. I added an option -force_pubkey to the OpenSSL 'x509' utility to do this. It is only in HEAD at present. So what you do is create a CSR normally using any key then when you "sign" it to create a certtificate you specify the foreign key using -force_pubkey. There is an example of its use in demos/certs/mkcerts.sh Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org