[kmf-discuss] signing/verifying certificates with pktool(1)
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Tue Jan 8 12:06:25 PST 2008
Darren J Moffat wrote:
> Wyllys Ingersoll wrote:
>
>> Thanks! I will look into this. I think we will need to add new commands
>> to pktool and get them ARC approved since it is a new interface.
>>
>> I'm thinking of something like:
>>
>> pktool signcsr
>> [keystore=pkcs11|file|nss]
>> signkey=label/filename of signing key (label if keystore=PKCS11 or
>> NSS, filename if file)
>> csr=CSR filename
>> serial=serial number hex string
>> outcert=filename for resulting certificate.
>> outformat=pem|der
>>
>
>
> I think it would be useful to be able to override some of the things in
> the CSR: subject, altname, keyusage, lifetime.
>
>
I don't follow. Why would the CA override the requestor's subject name
or SubjectAltName
or any of those fields in the CSR. If they don't match the policies of
the CA, it can reject
the signing request altogether, but I don't think it would be
appropriate for the signing
agent to change the request without the requestors consent.
The "lifetime" parameters are not part of a CSR and are always set by
the CA.
keyusage, subject name, and other extensions are set by the requestor.
-Wyllys
More information about the kmf-discuss
mailing list