[Pki-users] signing a certificate request using CLI

Chandrasekar Kannan ckannan at redhat.com
Wed Apr 29 21:37:04 UTC 2009 

On Wed, 2009-04-29 at 17:27 -0400, Fortunato wrote:
> Hello again. 
> 
> In advance, I apologize for the basic questions but I'm trying to follow along with the openssl examples.
> 
> Signing a CSR is relatively easy using openssl, so I'm wondering if there's a similar CLI command (with options) in DCS.

from
http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html

Creating a Certificate
A valid certificate must be issued by a trusted CA. If a CA key pair is
not available, you can create a self-signed certificate (for purposes of
illustration) with the -x argument. This example creates a new binary,
self-signed CA certificate named myissuer, in the specified directory.
certutil -S -s "CN=My Issuer" -n myissuer -x -t "C,C,C" -1 -2 -5 -m 1234
-f password-file -d certdir 
The following example creates a new binary certificate named mycert.crt,
from a binary certificate request named mycert.req, in the specified
directory. It is issued by the self-signed certificate created above,
myissuer. 
certutil -C -m 2345 -i mycert.req -o mycert.crt -c myissuer -d certdir 

> 
> ---
> 
>   # openssl ca -in /root/CA/cisco1.csr -extensions x509v3_extensions -out /root/CA/cisco1.pem -notext
>   Using configuration from /root/CA/openssl.cnf
>   Check that the request matches the signature
>   Signature ok
>   The Subject's Distinguished Name is as follows
>   organizationName      :PRINTABLE:'Stargate Command Domain'
>   commonName            :PRINTABLE:'cisco1.stargatecommand.mil'
>   Certificate is to be certified until Apr 24 17:15:41 2010 GMT (365 days)
>   Sign the certificate? [y/n]:y
> 
> 
>   1 out of 1 certificate requests certified, commit? [y/n]y
>   Write out database with 1 new entries
>   Data Base Updated
> 
> ---
> 
> The only thing similar I can find is CMCenroll, but it looks like it can't specify the signing cert as specified in OPENSSL_CONF.
> 
> I'm doing reading on the end-entity (EE) versus agent services. Automation is great but I'd like to cover the basics using the CLI. It is Linux BTW. :)
> 
> 
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
-- 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Chandrasekar Kannan --  ckannan at redhat.com
Quality Engineering -- http://www.redhat.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

More information about the Pki-users mailing list