#60 Allow CSR to be provided to getcert
Opened 7 years ago by nkinder. Modified 2 years ago

Currently, getcert will generate a CSR based off of a number of input parameters. It allows for some common extensions:

Parameters for the signing request:
-N NAME set requested subject name (default: CN=<hostname>)
-U EXTUSAGE set requested extended key usage OID
-u KEYUSAGE set requested key usage value
-K NAME set requested principal name
-D DNSNAME set requested DNS name
-E EMAIL set requested email address
-A ADDRESS set requested IP address

In cases where a profile may require other extensions, it would be nice to be able to provide a CSR to be supplied to getcert.


Metadata Update from @nkinder:
- Issue set to the milestone: 0.0 NEEDS_TRIAGE

7 years ago

I was thinking about this today (I am implementing support for
the MS V2 certificate template extension).

I don't think providing the CSR is the right approach for certmonger;
much of the value of certmonger is in certmonger managing the keys &
certdb, and automatically generating the CSR. This approach would
require the CSR to be generated outside certmonger - probably by a
human user (poor human...)

Instead, if there is a real use case (the fact that I'm implementing an
extension right now suggests there probably is), I'd suggest a new
template option that can take a list of extension OIDs, criticality bool,
and encoded extension data. e.g. something like.

getcert request <snip> \
  --extensions 1.2.3.4:0:base64extdata,1.2.42.311.66:1:dataOfAnotherExtension

i.e. it takes a comma separated list of colon-separated tuples
(oid, critical {0,1}, extdata {base64-encoded})

I've got a use case for this feature.

I've got some devices that are able to generate private keys and output a CSR.

I'd like to use certmonger to submit those CSRs to FreeIPA for signing. certmonger will take care of re-submitting the CSR when the signed certificate is close to expiring. A post-save command will upload the signed certificate to the devices.

Possible UI: a new --csrfile= option that may be specified instead of --keyfile= when --certfile= is given:

# << EOF cat > /etc/pki/tls/private/device1.csr
<paste>
EOF

# getcert request \
    --certfile=/etc/pki/tls/certs/device1.crt \
    --csrfile=/etc/pki/tls/private/device1.csr \
    --after-command=/path/to/post-save.sh

Login to comment on this ticket.

Metadata