<html><head></head><body><div class="ydpe83b84d3yahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:13px;"><div><div dir="ltr" data-setdir="false">Thanks everyone for the replies and the community support. I don't think I got across what I am trying to do. I have experimented with subcommands req and x509. The openssl x509 -in <cert> -x509toreq -signkey <alt-key-file> does *NOT* do what I want (I'm pretty sure).</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">openssl x509 -x509toreq may sign a certificate signing request (csr) with a different key, but (as far as I can tell via the -text output) it does not change the public key documented (does not change the RSA Public key modulus) in the output request to match the private signature file. The -text output from the input and output csr's are identical. Neither do I see how a request (csr) could be provided to the subcommand x509 -x509toreq or to subcommand req to alter an existing csr to have a new domain authentication key (the documented public key). <span>The req subcommand seems completely irrelevant to what I'd like to do. Is this an unusual use case?</span><br></div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">I believe I will have to use a config file via the -config <file> option to support the creation of a new request with a new domain authentication key. Do I want to change my architecture to support that? No, cause it's working well from the given crs file, but I want domain key rollover on automatic renewal. If I must create a new csr from scratch to support domain key replacement, the csr is not a viable starting point, and neither is the certificate file from the CA. Is there a flaw in my logic?<br></div><div><br></div><div class="ydpe83b84d3signature"><div>Douglas Morris<br></div></div></div>
<div><br></div><div><br></div>
</div><div id="yahoo_quoted_1366892303" class="yahoo_quoted">
<div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
<div>
On Friday, January 31, 2020, 4:42:21 AM EST, Dirk-Willem van Gulik <dirkx@webweaving.org> wrote:
</div>
<div><br></div>
<div><br></div>
<div><div id="yiv3986365906"><div></div><div><div class="yiv3986365906" style="word-wrap:break-word;"><br class="yiv3986365906" clear="none"><div class="yiv3986365906">On 31 Jan 2020, at 01:25, Douglas Morris <<a rel="nofollow" shape="rect" class="yiv3986365906" ymailto="mailto:dougbmorris@yahoo.com" target="_blank" href="mailto:dougbmorris@yahoo.com">dougbmorris@yahoo.com</a>> wrote:</div><div class="yiv3986365906"><br class="yiv3986365906" clear="none"><blockquote class="yiv3986365906" type="cite"><span class="yiv3986365906" style="">Interesting. I think I misunderstood this explanation about the -signkey <file> option: "</span><span class="yiv3986365906" style="">This option causes the input file to be self signed using the supplied private key.</span><span class="yiv3986365906" style="">"</span><br class="yiv3986365906" clear="none"><div class="yiv3986365906"><div class="yiv3986365906"><div class="yiv3986365906ydpa7863b90yahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:13px;"><div class="yiv3986365906"><div class="yiv3986365906" dir="ltr"><br class="yiv3986365906" clear="none"></div><div class="yiv3986365906" dir="ltr">Your input has me thinking that a certificate signing request is in fact self-signed like a self-signed certificate is self-signed. I think I mistakenly supposed any self-signing meant acting like a "mini CA". I shall give those two x509 options, '<span class="yiv3986365906">-x509toreq' and '<span class="yiv3986365906">-signkey</span>',</span> a try.<br class="yiv3986365906" clear="none"></div></div></div></div></div></blockquote></div><br class="yiv3986365906" clear="none"><div class="yiv3986365906">Correct - a CSR is generally signed by the party submitting it - thus proving that he or she has access to their own private key.</div><div class="yiv3986365906yqt1804298552" id="yiv3986365906yqtfd69782"><div class="yiv3986365906"><br class="yiv3986365906" clear="none"></div><div class="yiv3986365906">Dw.</div></div></div></div></div></div>
</div>
</div></body></html>