Command to generate a CSR using Existing Key pair available on Ejbca

[pranaw215]

Hi ,

Is there any CLI command availiable which will generate the CSR on the EJBCA server itself using existing key pair ?

[primetomas]

What would you use this CSR for?
Do you mean a CSR for a CA in order to renew an issuing CA from a sub CA?

[pranaw215]

We have a scenario where we need to sign the certificate using

1. Existing key pair in Ejbca itself .
2. For generating the certificate we need to create CSR with (private and public key generation ) on the server other then EJBCA and then get it signed through EJBCA.
3. But we don't want to generate CSR including key pair other then EJBCA . Instead we want EJBCA itself creates CSR using its existing key pair .
4. Then we want to create the certificate using that CSR on EJBCA itself , using the private key(which belongs to that key pair) in EJBCA.

Just wanted to understand whether It's possible ?

[primetomas]

This sounds like plain server side key generation for an end entity?
Add an end entity with Keystore Type "P12, JKS or PEM", and the key pair will be generated by the CA and the certificate returned.
I think there should be some tutorials with a basic enrollment with CA generated keys, there are some new videos up on youtube.
https://www.youtube.com/@KeyfactorCommunity

Not when creating a CA, but when issuing a certificate for an end entity, right?

[pranaw215]

Yes Its for creating a certificate not while generating CA. Also we don't want to generate Keys every time .
we want to use already generated keys when we want to generate certificate.

Thanks for pointing out the you tube tutorial.

[primetomas]

In EJBCA we would call that key recovery. If the private key is stored by the CA (normally it's not, the CA should never know end entitie's private signature keys), you can use the key recovery functionality to either recover an old certificate, or create a new certificate for the stored private/public key.
https://doc.primekey.com/ejbca/ejbca-operations/ejbca-operations-guide/ca-operations-guide/key-recovery

Another option, that doesn't require the CA to store the private key is to get the public key from the existing certificate and issuing a new certificate from it by passing only the public key, using the WS SOAP API/CLI for example.

Regards,
Tomas