View Issue Details

IDProjectCategoryView StatusLast Update
0000444Main CAcert Websitecertificate issuingpublic2011-09-26 07:40
Reporterhome_distiller Assigned Toevaldo  
Status needs workResolutionopen 
Summary0000444: Automated Certificate Issuing
DescriptionIt would be nice for people/companies that host websites for other people to easily be able to issue certificates with lots of subjectAltNames so that all sites can be hosted on the same IP and as new domains are added or removed new certificates can easily be generated reflecting the changes.

The reason this is important is due to all the unencrypted traffic that is not only being sniffed, but also recorded so the more traffic that can be encrypted the better.
TagsNo tags attached.
Reviewed by
Test Instructions


related to 0000425 needs work Missing parameter to select the root cert, at the API 



2007-06-22 11:15

administrator   ~0000848

We already have an API:
We have thought about implementing an automatic enrollment into mod-ssl, but we don´t have the development capacities for it yet.


2007-06-22 17:11

developer   ~0000849

If you are not into an API, try my script (or even improve it)

Sourcerer: what do you think about people pasting the openssl public key (not csr) on the website, and typing their subjectaltnames on a web form, then CAcert assembles the CSR and gives them the signed cert?


2007-06-22 17:20

administrator   ~0000852

CSR´s are digitally signed requests. So the people would have to upload their openssl secret key as well. Nah, that´s not a good idea.


2007-10-24 08:08

developer   ~0000915

Is a CSR signed? Then how the CAcert website edits the pasted CSRs (strip unrecognized data) and can still create certificates based on them? We can clearly do that already, we just need to do it the right way.


2007-10-24 10:14

reporter   ~0000927

CSR are signed by the requestor in order to prove that the requestor owns the private key.

The CA doesn't sign the CSR as such, but the relation between public key and CN - and it's up to the CA *which* CN it uses.

(Compare this to GPG keys: only the key owner can create self-signed UIDs, but anyone can add and sign any UID to any key.)

So theoretically it should be possible to create a cert from a public key and a list of subjectAltNames. But you have to skip the CSR somehow.


2007-10-24 10:42

developer   ~0000928

What I mean is: We currently create certificates with data that may come from the CSR, from the database, and we may strip data from the CSR. this already works. We just need the right user interface.


2007-11-04 01:24

administrator   ~0000940

Evaldo: Can you integrate the CertApi into your script, to make it even more automatic?


2007-11-17 17:04

developer   ~0000954

Sure! Give me the right API call for signing a certificate ? :P

Issue History

Date Modified Username Field Change
2007-06-22 03:34 home_distiller New Issue
2007-06-22 11:15 Sourcerer Note Added: 0000848
2007-06-22 17:11 evaldo Note Added: 0000849
2007-06-22 17:20 Sourcerer Note Added: 0000852
2007-10-24 08:08 evaldo Note Added: 0000915
2007-10-24 08:08 evaldo Status new => confirmed
2007-10-24 10:14 pc Note Added: 0000927
2007-10-24 10:42 evaldo Note Added: 0000928
2007-11-04 01:24 Sourcerer Note Added: 0000940
2007-11-04 01:25 Sourcerer Status confirmed => needs work
2007-11-04 01:25 Sourcerer Assigned To => evaldo
2007-11-17 17:04 evaldo Note Added: 0000954
2011-09-26 07:40 Ted Relationship added related to 0000425