View Issue Details
|Main CAcert Website
|0000444: Automated Certificate Issuing
|It would be nice for people/companies that host websites for other people to easily be able to issue certificates with lots of subjectAltNames so that all sites can be hosted on the same IP and as new domains are added or removed new certificates can easily be generated reflecting the changes.
The reason this is important is due to all the unencrypted traffic that is not only being sniffed, but also recorded so the more traffic that can be encrypted the better.
|No tags attached.
We already have an API:
We have thought about implementing an automatic enrollment into mod-ssl, but we don´t have the development capacities for it yet.
If you are not into an API, try my script (or even improve it)
Sourcerer: what do you think about people pasting the openssl public key (not csr) on the website, and typing their subjectaltnames on a web form, then CAcert assembles the CSR and gives them the signed cert?
|CSR´s are digitally signed requests. So the people would have to upload their openssl secret key as well. Nah, that´s not a good idea.
|Is a CSR signed? Then how the CAcert website edits the pasted CSRs (strip unrecognized data) and can still create certificates based on them? We can clearly do that already, we just need to do it the right way.
CSR are signed by the requestor in order to prove that the requestor owns the private key.
The CA doesn't sign the CSR as such, but the relation between public key and CN - and it's up to the CA *which* CN it uses.
(Compare this to GPG keys: only the key owner can create self-signed UIDs, but anyone can add and sign any UID to any key.)
So theoretically it should be possible to create a cert from a public key and a list of subjectAltNames. But you have to skip the CSR somehow.
|What I mean is: We currently create certificates with data that may come from the CSR, from the database, and we may strip data from the CSR. this already works. We just need the right user interface.
|Evaldo: Can you integrate the CertApi into your script, to make it even more automatic?
|Sure! Give me the right API call for signing a certificate ? :P
|Note Added: 0000848
|Note Added: 0000849
|Note Added: 0000852
|Note Added: 0000915
|new => confirmed
|Note Added: 0000927
|Note Added: 0000928
|Note Added: 0000940
|confirmed => needs work
|Note Added: 0000954
|related to 0000425