I can't find a direct support. But the are similarities among CRMF and
PKCS10. Both of them are certificate requests.

But very different in the detailed content. There are several advantages in using generateCRMFRequest() to generate request and it's definitively the method that has a future. But for compatiblity reasons, you apparently will need to stay with the keygen tag.

Maybe I can add missing properties or extentions to CRMF request to get
a PKCS10 request. And then go on with openssl ca ...

You can't because the PKCS10 request is signed.

Technically, you could extract the required bit from the CRMF request (you'd need to define everything that's needed to decode this specific der format that is unknown to openssl at present thought), and put them in a PKCS#10 request, but you couldn't sign the PKCS#10.

But if you were to do something that complex, you could just as well directly add CRMF support in openssl. Which would be nice.
mozilla-crypto mailing list

Reply via email to