Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding SAN to CSR? #180

Open
Scepticalist opened this issue Oct 27, 2022 · 4 comments
Open

Adding SAN to CSR? #180

Scepticalist opened this issue Oct 27, 2022 · 4 comments
Labels
enhancement This is a new feature request. Not a bug really.

Comments

@Scepticalist
Copy link

Scepticalist commented Oct 27, 2022
edited
Loading

Hi - I'm Is there an equivalent in PSPKI of the following, which amends a CSR and authorises it, so that the new CSR can be submitted later?

certreq -policy -config CAserver/CAInstance PathToCSR.csr InfFilewithSANsettings.inf PathToNewCSRFile.csr

Where the Inf file is formatted as:


[Extensions]
2.5.29.17 = {"text"}
_continue_ = {dns="san1.fqdn"&"}

etc

Loving your module, many thanks
@Crypt32
Copy link
Collaborator

Crypt32 commented Oct 28, 2022

There is no built-in functionality to create certificate requests. You may need to use certreq with INF template.

@Scepticalist
Copy link
Author

Yeh, was looking for a way to script it without certreq dependency.

We automatically issue certs when requested, else I could amend the cert before issue, which is why I want to amend the CSR.

Thanks

@Crypt32
Copy link
Collaborator

Crypt32 commented Oct 28, 2022

Yeh, was looking for a way to script it without certreq dependency.

We automatically issue certs when requested, else I could amend the cert before issue, which is why I want to amend the CSR.

Thanks

you cannot amend request, because it is digitally signed. By editing CSR you break signature. You can edit extensions on CA when request is placed in pending requests folder. You can use Set-CertificateExtension command for this scenario.

@Crypt32 Crypt32 added the question This is a general question. label Oct 28, 2022
@Scepticalist
Copy link
Author

Scepticalist commented Oct 28, 2022
edited
Loading

Yeh, was looking for a way to script it without certreq dependency.
We automatically issue certs when requested, else I could amend the cert before issue, which is why I want to amend the CSR.
Thanks

you cannot amend request, because it is digitally signed. By editing CSR you break signature. You can edit extensions on CA when request is placed in pending requests folder. You can use Set-CertificateExtension command for this scenario.

You can the amend request - with certreq command as I specified above, the command returns a new CSR which you can then submit. - I do it regularly, try it yourself.

I'm assuming that the CA is effectively appending the requirement to the CSR file, which it recognises and actions when you submit it.

@Crypt32 Crypt32 added enhancement This is a new feature request. Not a bug really. and removed question This is a general question. labels Sep 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement This is a new feature request. Not a bug really.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Crypt32 @Scepticalist