[Pki-users] signing a certificate request using CLI
Chandrasekar Kannan
ckannan at redhat.com
Wed Apr 29 21:37:04 UTC 2009
On Wed, 2009-04-29 at 17:27 -0400, Fortunato wrote:
> Hello again.
>
> In advance, I apologize for the basic questions but I'm trying to follow along with the openssl examples.
>
> Signing a CSR is relatively easy using openssl, so I'm wondering if there's a similar CLI command (with options) in DCS.
from
http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
Creating a Certificate
A valid certificate must be issued by a trusted CA. If a CA key pair is
not available, you can create a self-signed certificate (for purposes of
illustration) with the -x argument. This example creates a new binary,
self-signed CA certificate named myissuer, in the specified directory.
certutil -S -s "CN=My Issuer" -n myissuer -x -t "C,C,C" -1 -2 -5 -m 1234
-f password-file -d certdir
The following example creates a new binary certificate named mycert.crt,
from a binary certificate request named mycert.req, in the specified
directory. It is issued by the self-signed certificate created above,
myissuer.
certutil -C -m 2345 -i mycert.req -o mycert.crt -c myissuer -d certdir
>
> ---
>
> # openssl ca -in /root/CA/cisco1.csr -extensions x509v3_extensions -out /root/CA/cisco1.pem -notext
> Using configuration from /root/CA/openssl.cnf
> Check that the request matches the signature
> Signature ok
> The Subject's Distinguished Name is as follows
> organizationName :PRINTABLE:'Stargate Command Domain'
> commonName :PRINTABLE:'cisco1.stargatecommand.mil'
> Certificate is to be certified until Apr 24 17:15:41 2010 GMT (365 days)
> Sign the certificate? [y/n]:y
>
>
> 1 out of 1 certificate requests certified, commit? [y/n]y
> Write out database with 1 new entries
> Data Base Updated
>
> ---
>
> The only thing similar I can find is CMCenroll, but it looks like it can't specify the signing cert as specified in OPENSSL_CONF.
>
> I'm doing reading on the end-entity (EE) versus agent services. Automation is great but I'd like to cover the basics using the CLI. It is Linux BTW. :)
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Chandrasekar Kannan -- ckannan at redhat.com
Quality Engineering -- http://www.redhat.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
More information about the Pki-users
mailing list