I am trying to sign a CSR provided by an end-user entity and I have the private key and certificate of the intermediate CA. Every example I come across online uses a .cnf file that is passed as an argument. Is there a way by which I can sign a CSR without having to use a .cnf file in the command(by only using the cert and key of the intermediate CA)?
Asked
Active
Viewed 5,159 times
-1
-
Possible duplicate of [How do you sign Certificate Signing Request with your Certification Authority?](http://stackoverflow.com/questions/21297139/how-do-you-sign-certificate-signing-request-with-your-certification-authority) – jww Feb 26 '16 at 15:20
-
@jww I've already referred to the pointed question before posting and dont think this one is a duplicate of that one. I did not want to use any configuration file and that was my main concern. The accepted and only answer in the pointed post uses a configuration file which was what I was trying to avoid. – zorya Feb 28 '16 at 17:37
-
You can't avoid a CONF file *if* you want a well formed signing request or self signed certificate. That's because the CONF file is the *only* way to specify *Subject Alternate Names*. – jww Feb 28 '16 at 18:14
1 Answers
1
Found the solution myself. You can use the -CA and -CAkey options to pass the information and have the cert signed.
For example, you would do:
openssl x509 -req -in someCSR.pem -CA <signerCert>.pem -CAkey <signerKey>.pem -CAcreateserial -out <signedCert>.pem.
-
This uses the default CONF file. If you want to convince yourself, open the file `openssl.cnf`, and delete the ***`[req]`***, ***`[v3_req]`*** sections. – jww Feb 28 '16 at 18:21