Is the CSR Certificate Signing Request (PKCS#10) the same for Card Verifiable Certificates CVC and X.509?
Best regards.
Related
I've created a keystore with an initial key-pair using keytool -genkeypair command, then generated the CSR using keytool -certreg command, then got it signed by our CA. Now that I got the CSR reply myCSRreply.cer, how do I incorporate the CSR reply with my original key-pair?
I've tried simply importing the CSR reply to my keystore using keytool -import command but that did not change my original key-pair. It simply added the CSR reply as another entry. I'm expecting it to change the issuer and thumbprint of my original key-pair.
I'm able to do what I want to achieve via KeyStore explorer as shown in the following screenshot but I need to know how to do this in command line.
If I tried importing where I specify the CSR reply file and the alias to my original key-pair, I'm getting the following error.
keytool error: java.lang.Exception: Failed to establish chain from
reply
The command I used to import CSR back into my key-pair that generated that error:
keytool -keystore myKeyStore.pfx -importcert -file myCSRreply.cer -alias mykeypair
Question
How do I import the CSR reply back into my key-pair via command line such that it's going to take the thumbprint and the issuer of the CSR reply as the new attributes of my original key-pair? (I'm just assuming this is the expected outcome because when I generate JWT using the private key that takes its thumbprint, authentication fails)
Is CSR reply really meant to alter the thumbprint and issuer attributes of the key-pair in which the CSR was generated from?
The command you're executing is fine. You don't have the complete certificate chain for the new certificate.
When you generated the mykeypair key pair, keytool wrapped mykeypair's public key in a self-signed certificate. (That's why you had to provide its expiration date and other details during generation.) As a result, it forms a complete certificate chain by itself; it's a root certificate. keytool always wants a complete certificate chain for every certificate.
When you attempt to import the CSR reply, you're importing a new certificate. At this time, keytool will try to build a certificate chain for it. keytool will search the key store and trust store until it reaches a trusted root certificate. If it can't do that, the import will fail.
Read the following documentation:
Import a Certificate for the CA
You now need to replace the self-signed certificate with a certificate chain, where each certificate in the chain authenticates the public key of the signer of the previous certificate in the chain, up to a root CA.
Before you import the certificate reply from a CA, you need one or more trusted certificates in your keystore or in the cacerts keystore file. See -importcert in Commands.
If the certificate reply is a certificate chain, then you need the top certificate of the chain. The root CA certificate that authenticates the public key of the CA.
If the certificate reply is a single certificate, then you need a certificate for the issuing CA (the one that signed it). If that certificate is not self-signed, then you need a certificate for its signer, and so on, up to a self-signed root CA certificate.
...
You import a certificate for two reasons: To add it to the list of trusted certificates, and to import a certificate reply received from a certificate authority (CA) as the result of submitting a Certificate Signing Request to that CA (see the -certreq option in Commands).
keytool Documentation
I have generated a csr with:
Requested Extensions:
X509v3 Key Usage:
Digital Signature
X509v3 Extended Key Usage:
Code Signing
If I now generate a csr without the above Requested Extensions: will it still be possible for the CA to add Code Signing usage to my certificate? (e.g. by requesting it through a web form?)
Yes. CAs often ignore extensions from incoming requests (though, depends on CA configuration) and include extensions based on CA configuration.
The only thing CA cannot modify from CSR is public key. Everything else can be changed by CA in issued certificate.
Using AWS ACM Cert authority, I have created a CSR for subordinate CA following this step.
I further need to sign the CSR(as mentioned below):
Currently we do not have any infrastructure to sign the CSR using root CA's private key. We currently have root CA from Entrust.
Goal is to automate this signing request using acm sdk
How to proceed further on signing the CSR with this root CA's private key?
I strongly advise you to get someone who understands PKI to set up an internal certificate authority for you.
You can sign a CSR using openssl. Here is an example command.
openssl ca -config intermediate/openssl.cnf \
-extensions server_cert -days 375 -notext -md sha256 \
-in intermediate/csr/www.example.com.csr.pem \
-out intermediate/certs/www.example.com.cert.pem
Here is a link to an example openssl.cnf:
http://web.mit.edu/crypto/openssl.cnf
A csr was created through certreq and is not showing in the Certificate Enrollment Request store causing inability to complete the certificate. I have tried importing the CSR into the Certificate Enrollment Request Store and get the file type is not recognizable. Any suggestion on how to get the CSR into that folder would be appreciated
How to create Certificate Request for CVC certificate as like X.509 (PKCS#10) in Java to send as a certificates signing request to EJBCA Certificate Authority?
Thanks in advance
You can use the cert-cvc library, also open source. This is part of EJBCA and comes with sample code. You can find more information and download at the ejbca.org site.