Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Openssl creating a certificate from a CSR (No Private Key - Stored in another System)

Tags:

openssl

I need to create a certificate based on a CSR generated by a third party I have no access to the private key. The certificate generated needs to have keyUsage = keyCertSign as a minimum as part of the certificate.

C:/OpenSSL-Win32/bin/openssl.exe req -in C:/xampp/htdocs/certs/test.csr -out test.cer -config C:/xampp/htdocs/command.cnf

Which of course didn't work.

Is this possible? If not can certreq be used instead? The PKI servers we are using are Microsoft Based.

like image 636
user2914877 Avatar asked Oct 20 '25 00:10

user2914877

1 Answers

Given a certificate (ca-cert.pem) and its private key (ca-key.pem), use OpenSSL to sign a provided CSR (csr.pem) and generate a certificate for it (cert.pem) -

openssl x509 -req -in csr.pem -out cert.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -days 365 -sha256

Meaning of options -

  • -CAcreateserial - serial number would be randomly generated for the certificate (and increased in future activations).
  • -days 365 - certificate would have a validity of 365 days.
  • -sha256 - certificate would use SHA256 as its signature algorithm (which is the default).

To generate such a certificate with "certificate signing" key usage (and also a CA basic constraint, which you probably need), create a configuration file (config.txt) -

[extensions]
keyUsage = keyCertSign
basicConstraints = CA:TRUE

And provide it to OpenSSL as well (pointing to the "extensions" section) -

openssl x509 -req -in csr.pem -out cert.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -days 365 -sha256 -extfile config.txt -extensions extensions

Examine the resulting certificate -

openssl x509 -in cert.pem -noout -text

It has -

X509v3 extensions:
  X509v3 Key Usage:
    Certificate Sign
  X509v3 Basic Constraints:
    CA:TRUE

For completeness, here is how to create the "provided" CA key, CA self-sign certificate, subject key and CSR (here using RSA keys, EC keys can be used identically) -

CA key -

openssl genpkey -algorithm RSA -out ca-key.pem -pkeyopt rsa_keygen_bits:2048

CA self-signed certificate -

openssl req -key ca-key.pem -new -x509 -days 365 -out ca-cert.pem -sha256 -subj /CN=CACert

Subject key -

openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048

CSR for subject key -

openssl req -new -key key.pem -out csr.pem -sha256 -subj /CN=SubjectCert
like image 125
Hexagon Avatar answered Oct 22 '25 04:10

Hexagon
Sign in to Comment

Related questions

Manually loading libcrypto (dlmopen, dlsym) segfaults; dynamically linked works
Failed build openssl 1.0.2p on SLES 12-SP2 x86_64
how to access the member num of struct bio_st in openSSL-1.1.1
mcrypt_decrypt, openssl_decrypt and 0x06065064 EVP_DecryptFinal error
Error creating CSR in openSSL using SubjectAltName 'OtherName"
How to combine ifconfig with openssl to change MAC address

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!