sign CSR with exixsring root Keys. about lua-resty-openssl HOT 8 CLOSED

Hi @aze2201 , CSR has to be signed with the private key same as the private key signs the certificate that csr are being used to create.
can you explain more on what are you trying to do, possibly with openssl cli or in other programming language?

from lua-resty-openssl.

Sure. Here is example command in openssl.

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360 -extfile filename
As we can see csr generated by different key without signing(server.key), another root key is signing that csr. Like public CA signing our csr.

In my case ca.key and ca.crt exist already. I want using lua to generate csr and sign with these keys, instead of own (self) keys and get server.crt file

from lua-resty-openssl.

This is actually creating a cert according to the content provided by csr, and sign with the root CA key. You can do the following:

• Verify the CSR has valid signature (by using the subject key to verify the signature inside csr)
• Get the subject name, alt names etc all extensions you care about from the csr.
• Create an empty x509 instance, set the extensions exactly as what provided by csr.
• Set not_before of the x509 to now, not_after to now+valid time.
• Set the issuer_name of x509 to CN of CA
• Set subject key Id to the server.key
• Sign the x509 with root CA
  This https://github.com/fffonion/lua-resty-openssl/blob/master/t/openssl/helper.lua#L10 is the example on how to set those stuff in x509.

from lua-resty-openssl.

if you are only looking for "create a x509 cert signed with existing ca", instead of a self signed cert, then csr is not required. Simply use the link i provide in previous comment and pass is_ca to false.

from lua-resty-openssl.

I think we misunderstand each other. Correct me if I am wrong please. Above link will create signed cert from existing private key. It is like self-signed certificate. But I don't want self-signed.

If so, let me rephrase my question.
We have rootCA and keys already, which not part of web server. root CA should be used on webserver. it is only sign CSR to multiple CN for multiple web domains.

The flow is like that. (same as when we issue new domain https)

1. Generate server.key
2. Generate CSR named server.csr from this server key.
3. Send to site where lua-resty-openssl
4. lua-reasy-openssl will take this CSR and sign with own existing CA and CAkey and output server.crt to issuer.
5. Then we can install server.key and server.crt on our NGINX or Apache.

So I want to use existing key pair to sign another any CSR.

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360

Do you think are we in same page about my question?

from lua-resty-openssl.

@aze2201 Yes we are on the same page : )
If you want to use lua-resty-openssl to act like a CA service then yes you will need CSR indeed. Please use #118 (comment) this comment as guide. Note you are creating a new x509 cert, with all stuff from CSR, instead of "signing a CSR".
(I know some KB docd use "sign CSR" to refer to this process, but it's inaccurate in our context. We have csr:sign() which signs the content of CSR. And it's not what you are looking for.)

from lua-resty-openssl.

you can also refer to openssl src https://github.com/openssl/openssl/blob/master/apps/x509.c, only note all branches with if reqfile. and you can reimplement with our lua binding to the matching C function.

from lua-resty-openssl.

closing for inactivity, please re-open if needed

from lua-resty-openssl.