Hi Martin:
On January 5, 2010 02:05:48 pm David Schwartz wrote:
Hello everybody,
I have a question: A client system generates a CSR that contains some
pieces of information and sends the CSR to my CA. What I want to do is
NOT to directly sign the CSR / issue the Certificate but first to
modify or add new pieces of information and then issue the
certificate. Can this be done and if yes: how? Thank you!
It's not only possible, it's the only thing you can do. You can't sign the
CSR because it's already signed. What you do, and must do, is create a
certificate which you sign. You can, if you want to, copy fields out of the
CSR. The CSR serves three purposes:
1) It tells you the public key that you must embed in the certificate.
2) It provides you some (completely unverified) information about the
entity requesting the certificate that you can copy into the certificate if
you want, or not.
3) It provides cryptographic proof that the information provided in part 2
was provided by someone who knows the secret key corresponding to the
public key in part 1.
That's it. You do not sign the CSR. The requestor signs it. You create a
brand new certificate which you then sign.
To answer your ACTUAL question (Sorry David:):
when you are using the openssl CA (strangely enough: openssl ca) command, you
can give it numerous options, including which Subject value to use (the -subj
argument), and which extensions to use (via the -extfile and -extensions
arguments).
so you can set both which extensions you want and which Subject you want
(causing both values in the CSR to be completely ignored) by a command like:
openssl ca -config /etc/myca/openssl.cnf -extfile /etc/myca/openssl-exts.cnf -
extension sig-medium -subj /C=CA/O=Example Company/OU=Engineering/CN=John
Doe -in req.csr -out john-doe.pem
Where:
/etc/myca/openssl-ext.cnf contains:
[ sig-medium ]
basicConstraints= CA:FALSE
keyUsage= critical, digitalSignature
extendedKeyUsage= emailProtection, anyExtendedKeyUsage
nsComment = Do Not trust - PURE TEST purposes only
subjectKeyIdentifier= hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = @testsan
authorityInfoAccess = @aia_points
crlDistributionPoints = @crl_dist_points
[ testsan ]
email = testu...@example.com
DNS = www.example.com
dirName = test_dir
URI = http://www.example.com/
IP = 172.16.0.1
otherName.0 = 1.3.6.1.4.1.311.20.2.3;UTF8:t...@kerberose-domain.internal
otherName.1 = 1.3.6.1.5.5.7.8.7;IA5STRING:_mail.example.com
otherName.2 = 1.3.6.1.5.5.7.8.5;UTF8:testu...@im.example.com
[aia_points]
caIssuers;URI.0=http://www.example.com/caops/Signing-CA.p7c
caIssuers;URI.1=ldap://dir.example.com/DN of Signing
CA?cACertificate;binary?base?objectclass=pkiCA
[crl_dist_points]
URI.0=http://www.example.com/caops/test-signca1-crl.crl
URI.1=ldap://dir.example.com/DN of Signing
CA?certificateRevocationList;binary?base?objectclass=pkiCA
Have fun.
--
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org