0

For test purposes I want to create a certificate without signature field. (I think I could call this unsigned then.) All my tries failed so far. Whenever I create a certificate it has a signature field.

I used this command to create a certificate:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -nodes -days 365 -subj '/CN=localhost'

Then I view the certicfiate:

openssl x509 -in cert.pem -text

But it has a signature field:

Signature Algorithm: sha256WithRSAEncryption
     bb:98:a0:6f:3c:4b:5c:6d:29:1b:4b:1a:e8:70:6b:72:03:39:
     ...

This question is not a duplicate of:

How do you sign a Certificate Signing Request with your Certification Authority?

Because his questions is about signing certificates (he already has the certificates). I want to create a certificate (I don't want to sign any).

I also tried to create a CSR (as suggested in an answer below) like this:

openssl genrsa -des3 -passout pass:test1234 -out keypair.key 2048
openssl rsa -passin pass:test1234 -in keypair.key -out moh.key
openssl req -new -key moh.key -out jo.csr
openssl req -noout -text -in jo.csr

And even the resulting CSR has a signature.

Maybe it's possible to create a CSR without signature field?

zomega
  • 1,538
  • 8
  • 26

1 Answers1

2

That doesn't make sense, though, because certificates are always signed.

From IETF RFC 5280, section 4.1:

Certificate  ::=  SEQUENCE  {
    tbsCertificate       TBSCertificate,
    signatureAlgorithm   AlgorithmIdentifier,
    signatureValue       BIT STRING  }

TBSCertificate  ::=  SEQUENCE  {
    version         [0]  EXPLICIT Version DEFAULT v1,
    serialNumber         CertificateSerialNumber,
    signature            AlgorithmIdentifier,
    issuer               Name,
    validity             Validity,
    subject              Name,
    subjectPublicKeyInfo SubjectPublicKeyInfo,
    issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
                         -- If present, version MUST be v2 or v3
    subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
                         -- If present, version MUST be v2 or v3
    extensions      [3]  EXPLICIT Extensions OPTIONAL
                         -- If present, version MUST be v3
    }

A Certificate is a signed TBSCertificate (to-be-signed certificate), and a TBSCertificate already has to have an issuer name (the 4th field). While every library that can read X.509 certificates has (effectively) a TBSCertificate parser, it's not really expected to be a top-level object.

The closest to an "unsigned certificate" is a certification request (colloquially "CSR"), but that still requires a private key (see Why private key is used amidst creation of CSR?).

Community
  • 1
  • 1
bartonjs
  • 30,352
  • 2
  • 71
  • 111