#60 Allow CSR to be provided to getcert
Opened 2 years ago by nkinder. Modified 2 years ago

Currently, getcert will generate a CSR based off of a number of input parameters. It allows for some common extensions:

Parameters for the signing request:
-N NAME set requested subject name (default: CN=<hostname>)
-U EXTUSAGE set requested extended key usage OID
-u KEYUSAGE set requested key usage value
-K NAME set requested principal name
-D DNSNAME set requested DNS name
-E EMAIL set requested email address
-A ADDRESS set requested IP address

In cases where a profile may require other extensions, it would be nice to be able to provide a CSR to be supplied to getcert.


Metadata Update from @nkinder:
- Issue set to the milestone: 0.0 NEEDS_TRIAGE

2 years ago

I was thinking about this today (I am implementing support for
the MS V2 certificate template extension).

I don't think providing the CSR is the right approach for certmonger;
much of the value of certmonger is in certmonger managing the keys &
certdb, and automatically generating the CSR. This approach would
require the CSR to be generated outside certmonger - probably by a
human user (poor human...)

Instead, if there is a real use case (the fact that I'm implementing an
extension right now suggests there probably is), I'd suggest a new
template option that can take a list of extension OIDs, criticality bool,
and encoded extension data. e.g. something like.

getcert request <snip> \
  --extensions 1.2.3.4:0:base64extdata,1.2.42.311.66:1:dataOfAnotherExtension

i.e. it takes a comma separated list of colon-separated tuples
(oid, critical {0,1}, extdata {base64-encoded})

Login to comment on this ticket.

Metadata