-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
renew-req
does not work from the CA signing side PKI
#678
Comments
CA end Simply keep the private key in place. |
I think this is an issue with revoke, not so much renew-req. I do wonder if re-signing an identical req is worth the cogitative load: The user already generated the req with the correct subject (and sAN and other exts) and there are no date-stamps in the req. |
|
Currently, this only works for a remote CSR and private key. Article |
In the remote case I'm not sure
I'm not sure what benefits ¹ or that's what I would do if I hadn't patched in a --retire(/--no-retire) so that the CSR didn't get moved during the revoke stage (or as the case truly is: the |
The idea of This can be corrected soon enough. Leaving the milestone as-is. |
Closed via #685 |
When the private key is located at a remote location and
renew-req
is used at the remote location thenrenew-req
works correctly:renew-req
generates a New CSR with the original key - Original CSR is over-written.pki/revoked
.import
s the New CSR.This does not work when the private key is located at the CA location:
renew-req
generates a New CSR with the original key - Original CSR is over-written.pki/issued
.pki/revoked
.The New CSR and original private key should not be moved to
pki/revoked
.The obvious fix appears to be new command option
keep-key
, eg:revoke client1 keep-key [reason]
- Original CSR and signed-cert are moved topki/revoked
.renew-req
generates a New CSR with the original key.The text was updated successfully, but these errors were encountered: