From kevinhughes27 at gmail.com  Thu Apr 11 12:19:29 2019
From: kevinhughes27 at gmail.com (Kevin Hughes)
Date: Thu, 11 Apr 2019 12:19:29 -0400
Subject: [Cryptography-dev] Signing a CSR with your own CA
Message-ID: <CANY4+HXjk-Ep+rm0VuWSczFYyrt-4UCTbtzT5fg4-8RH4eXk=Q@mail.gmail.com>

Hey Cryptography Devs,

I am trying to figure how to use pyca/cryptography to sign a CSR with my
own CA and I can't quite see how I am supposed to do this using the
library. I have finished and understood the tutorial for creating a CSR
https://cryptography.io/en/latest/x509/tutorial/#creating-a-certificate-signing-request-csr

I've previously worked through how to do this with raw openssl commands:

openssl x509 \
  -req \
  -in "csr.pem" \
  -CA myCA.pem \
  -CAkey myCA.key \
  -passin "pass:$ca_password" \
  -CAcreateserial \
  -out "crt.pem" \
  -days 1825 \
  -sha256 \
  -extfile "extfile.txt"

I appreciate the help and look forward to using this library

- Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20190411/42937569/attachment.html>

From alex.gaynor at gmail.com  Thu Apr 11 16:29:20 2019
From: alex.gaynor at gmail.com (Alex Gaynor)
Date: Thu, 11 Apr 2019 16:29:20 -0400
Subject: [Cryptography-dev] Signing a CSR with your own CA
In-Reply-To: <CANY4+HXjk-Ep+rm0VuWSczFYyrt-4UCTbtzT5fg4-8RH4eXk=Q@mail.gmail.com>
References: <CANY4+HXjk-Ep+rm0VuWSczFYyrt-4UCTbtzT5fg4-8RH4eXk=Q@mail.gmail.com>
Message-ID: <CAFRnB2W70YmyzGjd+=v-4acbxVMmBpf0cyJfQFOXG=rAUfcOcw@mail.gmail.com>

Hi Kevin,

The short version is, despite what the OpenSSL CLI would have you think,
"signing a CSR" isn't a thing. When a CA receives a CSR, it copies some of
the elements (most importantly the public key) from the CSR into a new
cert.
https://cryptography.io/en/latest/x509/tutorial/#creating-a-self-signed-certificate
gives
an example of how to go about creating a certificate (you'll need to modify
it a bit to sign with a CA instead of being self-signed). Figuring out what
data from the CSR you want to include in the cert is your decision.

Alex

On Thu, Apr 11, 2019 at 4:22 PM Kevin Hughes <kevinhughes27 at gmail.com>
wrote:

> Hey Cryptography Devs,
>
> I am trying to figure how to use pyca/cryptography to sign a CSR with my
> own CA and I can't quite see how I am supposed to do this using the
> library. I have finished and understood the tutorial for creating a CSR
> https://cryptography.io/en/latest/x509/tutorial/#creating-a-certificate-signing-request-csr
>
> I've previously worked through how to do this with raw openssl commands:
>
> openssl x509 \
>   -req \
>   -in "csr.pem" \
>   -CA myCA.pem \
>   -CAkey myCA.key \
>   -passin "pass:$ca_password" \
>   -CAcreateserial \
>   -out "crt.pem" \
>   -days 1825 \
>   -sha256 \
>   -extfile "extfile.txt"
>
> I appreciate the help and look forward to using this library
>
> - Kevin
>
>
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev
>


-- 
All that is necessary for evil to succeed is for good people to do nothing.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20190411/bdb019db/attachment.html>