Convert PKCS#10 CSR to raVerified CRMF certRequest - Githubissues

mpeylo / cmpossl

An OpenSSL-based implementation of the Certificate Management Protocol (CMP), defined in IETF RFCs 4210, 4211, and 6712. It is being extended according to the emerging RFCs 'CMP Updates' (CMPv3), 'CMP Algorithms', and 'Lightweight CMP Profile'.

https://github.com/mpeylo/cmpossl/wiki

Other

35 stars 13 forks source link

Convert PKCS#10 CSR to raVerified CRMF certRequest #151

Closed mpeylo closed 3 years ago

mpeylo commented 5 years ago

Effective use case for many RAs will be to receive PKCS#10 from legacy EEs and obtain a certificate for it from a CA.

There could be a function in CRMF that takes a PKCS#10 and converts it to an "raVerified" CRMF certRequest.

A new option in the cmp application could then trigger creating e.g. an IR/KUR based on that certRequest generated out oft the PKCS#10.

There would be benefits of using certRequest over the p10cr:

missing CMP server-side support for p10cr
opportunity for the RA to enforce fields in the certTemplate (pending RA-specific features for this)
have multiple certRequests derived from multiple PKCS#10s sent in one CMP message (pending availability of the general multiple-requests feature)

DDvO commented 3 years ago

This is meanwhile implemented as part of the upcoming OpenSSL version 3.0.