Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for CSRs (Certificate Signing Requests) #55

Closed
wants to merge 5 commits into from
Closed

Support for CSRs (Certificate Signing Requests) #55

wants to merge 5 commits into from

Conversation

Peter42
Copy link

@Peter42 Peter42 commented Aug 14, 2018

This pull request adds another flag to mkcert: use mkcert -csr some.csr to sign a CSR using the current CA.

I can make changes, if you don't like the code. Let me know.

@FiloSottile
Copy link
Owner

Hi! Thanks for contributing.

Can you tell me a bit about when and why you needed this? I'm trying to keep mkcert a focused tool, and CSR support adds complexity and documentation needs.

Just trying to understand if this fits in the mkcert target use case.

@Peter42
Copy link
Author

Peter42 commented Aug 17, 2018

Sure, I can.
There are some servers which don't allow to import a private key for security reasons. Instead, they provide you with a CSR, you sign it (or give it to a Trusted CA to get it signed) and you have to upload the signed Certificate.
This has the following background: The more you copy a private key around, transfer it over network, etc. the more likely it becomes that it will get compromised. So generating it exactly where you need it and never ever creating any copy of it helps to keep it secure.
One example is the "SAP Cloud Platform Cloud Connector".
Another use-case are Trusted Execution Environments (like Intel SGX). To ensure the key is only known to the TEE it can never leave the TEE (or get generated outside). As far as I know, this is currently only relevant to research (but researchers also like simple tools).

@FiloSottile FiloSottile added the enhancement New feature or request label Jan 8, 2019
@gregorwolf
Copy link

Hi @FiloSottile,
also I would greatly appreciate support for Certificate Signing Requests. In the SAP Environment that I'm working in I do have no direct access to the private keys and can get singed certificates only via a CSR.
Best regards
Gregor

@we11adam
Copy link

Hi @FiloSottile, like @gregorwolf said, CSR support would be of great help. Please please accept this PR. I would really appreciate that!

FiloSottile
FiloSottile reviewed Feb 2, 2019
View reviewed changes
cert.go
PublicKeyAlgorithm: csr.PublicKeyAlgorithm,
Version: csr.Version,
Extensions: csr.Extensions,
ExtraExtensions: csr.ExtraExtensions,
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not going to work: ExtraExtensions is for marshaling and Extensions is for parsing, so csr.ExtraExtensions will be empty and tpl.Extensions will be ignored.

But if you set tpl.ExtraExtensions to csr.Extensions, there's no need to copy all the SAN values below because all requested extensions will be copied.

Mailed https://go-review.googlesource.com/c/go/+/160898 to improve the docs.

@FiloSottile
Copy link
Owner

Implemented this with the same -csr flag, but took the occasion to refactor code and handle gracefully CSRs that come without SANs.

Thanks for the details on the use case!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@FiloSottile FiloSottile FiloSottile left review comments

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@Peter42 @FiloSottile @gregorwolf @we11adam @phil9909