0

So as it says, how am I supposed to allow Internal CA to sign CSR?

This would be for scenarios where you cannot easily replace a private key for a client so the preferred process uses CSR's instead.

Is it even possible?

Tyler Dee
  • 3
  • 1
  • https://www.openssl.org/docs/man1.1.0/apps/ca.html#EXAMPLES There's a ton of guides for this, but it's not a simple process if you don't already have a CA provisioned. – Andrew Domaszek Sep 20 '17 at 11:18
  • @AndrewDomaszek I'm not really sure what You mean by "Provisioned CA"? Does that mean that Internal CA already exists, or something? – Tyler Dee Sep 20 '17 at 11:24
  • 1
    Right, do you already have an internal CA set up and the CA certificate installed as trusted on the clients? If yes, you can directly sign the CSR using the `openssl ca` subcommand and the output file will work. – Andrew Domaszek Sep 20 '17 at 11:27
  • Alright, got it. I will prototype it asap. Thank You! @AndrewDomaszek – Tyler Dee Sep 20 '17 at 11:29
  • It works like a charm! Thank You @AndrewDomaszek . Can You post the comment as an answer so I can vote it and select it as solution, please? – Tyler Dee Sep 20 '17 at 12:31

1 Answers1

1

There are a number of openssl ca subcommand examples on the manpage. The standard method of signing a CSR is the same, regardless of how you generate it or what you generate it from. For example, signing using the default extensions for this CA's config:

openssl ca -in csr.pem -out newcert.pem

This requires the internal CA already be set up for cert signing, and the internal CA's certificate be added to the trust root stores of any clients that may need to validate it.

Andrew Domaszek
  • 5,163
  • 1
  • 15
  • 27