randombit
commented
5 years ago X509_CA::make_cert should do the trick here you just need to ignore the actual class and create your own PK_Signer object, which is easily done with
AlgorithmIdentifier sig_algo;
PK_Signer* signer = choose_sig_format(key, opts, rng, hash_fn, sig_algo);
X509_Certificate cert = X509_CA::make_cert(signer, rng, sig_algo, ...);That said having a cleaner interface for this is probably a good idea, for ex in above you'll have to choose your own extensions which will likely involve duplicating the code at https://github.com/randombit/botan/blob/master/src/lib/x509/x509_ca.cpp#L77
Hi, I'm currently implementing the server side of RFC7030 (certificate enrollment over https), and need a way to add some extensions or changing the subject of a request before creating the certificate (I'm not sure if this is ok to do, so if there is a reason why this would be bad i wan't to hear it) . As far as i can see there is no way to do this with botan? It's impossible to simply create a new
PKCS10_Requestas I don't have the private key, and callingX509_CA::make_cert()is also not possible as this needs a private member of the CA?So for a pull request i see two ways to implement this, and i'm not sure which one would be better:
X509_CA::make_cert()a public member function (without the signer argument)X509::create_self_signed_cert(probably a friend of X509_CA), which takes Cert_Options and the CA