lemur icon indicating copy to clipboard operation
lemur copied to clipboard

Published 20 hours ago verified publisher icon Netflix

certificate creation from given CSR

Open Dvergatal opened this issue 4 years ago • 4 comments

Hi all i have a question, because i couldn't find the straight answer to my problem.

In our company we have a device, which has the engine for producing device private key and CSR signed by this private key. Now the problem is that we would like to send this CSR through our service (which is on this device) i.e. to lemur service and ask it to produce device certificate. From what i have read the lemur service doesn't create certificates from CSR but it already creates user private key with certificate and send it back to the client. Correct me if i'm wrong.

And the question is, is it possible to send CSR to lemur and create from it a users certificate?

Dvergatal avatar Jan 27 '21 13:01 Dvergatal

Hi @Dvergatal,

Lemur allows supplying a CSR during certificate creation, and it will use the CSR for the request to the CA for certificate issuance. On the UI, you can supply the CSR on the second UI page of the certificate create.

For API, I would refer to documentation: https://lemur.readthedocs.io/en/0.8.0/developer/index.html#post--certificates

hosseinsh avatar Jan 27 '21 18:01 hosseinsh

Hi @hosseinsh Ok so if i create a CSR - certificate signing request and pass it via mqtt, https - whatever protocol it doesn't matter what - lemur service will receive it and sign it with his root CA private key, which will generate for me a client certificate right? I'm asking because from what i have read it was written that client private key is being generated by lemur and i do not want to have this private key in lemur. I have a HSM on my device which is for private key and CSR from it generation. Than i want to send it to the service and generate from it pem certificate which will be returned to my device.

Dvergatal avatar Jan 27 '21 18:01 Dvergatal

@Dvergatal correct, you can let Lemur create client Certificate just with a CSR. this is a common pattern supported in Lemur. note that Lemur supports different issuers, e.g.; public CAs: DigiCert, Entrust, Let's Encrypt, .. private CAs like Lemur's internal issuer CA. you can also integrate it with other issuers.

Based on your described setting, you might also want to protect the private key of the issuing CA in Lemur. Lemur doesn't come with HSM support, but some of the issuer plugins do have HSM support.

hosseinsh avatar Jan 27 '21 23:01 hosseinsh

@hosseinsh that is what i wanted to know, because from what i have read in here i did understand, that lemur creates private key inside it's storage and than send it to the client (with the usage of secure channel) which is in our case unacceptable. Btw, one last question, because i couldn't find any informations about it, what protocols are being available for such a scheme? In our case we are using mqtt for IoT and i want to know if it is supported or if we need to spend some effort on writting a plugin?

Dvergatal avatar Jan 27 '21 23:01 Dvergatal