On Sat, Jul 07, 2012, pro...@secure-mail.biz wrote:

> Hello,
> is it possible to sign a foreign SSL public key without having CSR/private 
> key?
> Background:
> Because the public root CA's failed at least twice (DigiNotar, Comodo), I'd 
> like to pin a SSL certificate from a website I have no control over. 
> (Therefore I no access the the private key and can subsequently also not 
> create a CSR.) Pin the SSL cert by using a local self signed CA.

I'm not sure if this will help but for testing purposes I needed to generate
some certificates using DH keys. Since you can't sign with DH you can't create
a CSR directly. I added an option -force_pubkey to the OpenSSL 'x509' utility
to do this. It is only in HEAD at present.

So what you do is create a CSR normally using any key then when you "sign" it
to create a certtificate you specify the foreign key using -force_pubkey.
There is an example of its use in demos/certs/mkcerts.sh

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to