feature idea: re-sign a CSR

[amlynnworth]

Hi, this is just a suggestion for something I am trying to do without python, and that is to replace the signature and public key values within a Certificate Signing Request "CSR."

This is the python-based solution: https://github.com/g-a-d/aws-kms-sign-csr

I think that, combined with AWS KMS (not AWS CloudHMS), there could be a relatively cost effective solution for independent software developers who need to codesign in a continuous integration situation, i.e. from command line on a remote "build" computer. Step 1 of that is to securely sign a CSR to give to a third party certificate supplier, so that the resulting EXE signature shows up as valid.

Meanwhile thank you for everything jsign already does.

[ebourg]

Interesting idea, thank you. Signing a CSR is fairly easy in Java with Bouncy Castle (https://stackoverflow.com/questions/7230330/sign-csr-using-bouncy-castle), however Jsign handles PKCS#7 signatures instead of raw signed hashes as found in CSR files. It might be possible to wrap the raw hash into a fake PKCS#7 structure to work around this mismatch though, I'll think about it.

[amlynnworth]

Thanks! I found a very useful ASN.1 visualizer today: https://lapo.it/asn1js/
-- useful at least for those of us who do not already see the structure and sequences clearly.

And, to help the search engines, ASN.1 for Dummies