Output signed certificate

[mouse07410]

Is your feature request related to a problem? This is about KSE signing a Certificate Signing Request (CSR). The problem is that none of the software I'm using (OpenSSL, OpenSC, Java) deals gracefully with what KSE outputs for "Sign CSR".

Applications typically expect a CA to intake a CSR and return a "real" certificate, in DER or PEM. KSE, however, returns a DER-encoded PKCS#7 file that contains a set of certificates, including the one requested.

It may be fine on Windows (I don't know, as I don't use it), but on Linux and Mac it creates a big problem - no software can use that response. I have to print the content of the returned PKCS#7 file, and manually edit it to extract the produced certificate.

Describe the solution you'd like KSE should offer a choice between outputting

• a signed CSR with the issuing CA cert as a PKCS#7 file (what KSE is doing now), or
• completed (end-of-the-chain) certificate in PEM or DER (what everybody else is doing).

Describe alternatives you've considered The only alternative I found so far is

$ openssl pkcs7 -inform DER -in <your_output.p7r> -print_certs > certs.txt
$ vi certs.txt
[ remove the dross, write the certificate in PEM format into a new file, like cert.pem]

[kaikramer]

I have encountered many "real" CAs that return PKCS#7 format, but I agree, there should be a choice.

[mouse07410]

I agree, there should be a choice

Thank you! Especially since there is no tool that would extract the requested cert from the PKCS#7 file (I don't consider hacking the file manually with vi or such as a "tool").

[kaikramer]

Closing tickets in preparation for release of KSE 5.5.0