[Cryptography-dev] Signing a CSR with your own CA
Alex Gaynor
alex.gaynor at gmail.com
Thu Apr 11 16:29:20 EDT 2019
Hi Kevin,
The short version is, despite what the OpenSSL CLI would have you think,
"signing a CSR" isn't a thing. When a CA receives a CSR, it copies some of
the elements (most importantly the public key) from the CSR into a new
cert.
https://cryptography.io/en/latest/x509/tutorial/#creating-a-self-signed-certificate
gives
an example of how to go about creating a certificate (you'll need to modify
it a bit to sign with a CA instead of being self-signed). Figuring out what
data from the CSR you want to include in the cert is your decision.
Alex
On Thu, Apr 11, 2019 at 4:22 PM Kevin Hughes <kevinhughes27 at gmail.com>
wrote:
> Hey Cryptography Devs,
>
> I am trying to figure how to use pyca/cryptography to sign a CSR with my
> own CA and I can't quite see how I am supposed to do this using the
> library. I have finished and understood the tutorial for creating a CSR
> https://cryptography.io/en/latest/x509/tutorial/#creating-a-certificate-signing-request-csr
>
> I've previously worked through how to do this with raw openssl commands:
>
> openssl x509 \
> -req \
> -in "csr.pem" \
> -CA myCA.pem \
> -CAkey myCA.key \
> -passin "pass:$ca_password" \
> -CAcreateserial \
> -out "crt.pem" \
> -days 1825 \
> -sha256 \
> -extfile "extfile.txt"
>
> I appreciate the help and look forward to using this library
>
> - Kevin
>
>
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev
>
--
All that is necessary for evil to succeed is for good people to do nothing.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20190411/bdb019db/attachment.html>
More information about the Cryptography-dev
mailing list