Create certificate without private key with OpenSSL
As AJ Henderson suggested, the perfect solution would be to have the OpenPGP card sign the CSR. It turned out that is possible with the gpgsm CLI tool. Damien Goutte-Gattat from the GnuPG-user mailing list answered the question:
Is there any way to create an X509 CSR signed with the private key stored on the card?
Yes, you can use the gpgsm(1) tool for that.
Make sure your card is in the card reader, then:
$ gpgsm --armor --output mycsr.pem --gen-keyYou’ll be prompted to select what kind of key you want, choose "
Existing key from card" (make sure your card is in the reader). Then select which of the card keys you want to use (the signing key, the encryption key, or the authentication key) and the intended use of the future certificate.At the end of the procedure, you’ll be prompted for your PIN in order to sign the CSR.
The documentation of Scute has a complete example (it uses gpgsm-gencert.sh, a deprecated helper script, instead of the above command, but the procedure is almost the same).
So there is no need to circumvent the CSR, you can make a valid X509 cert with GnuPG.
Yes you can circumvent this fact.
- create a fake csr with ANY private key
- the CA can use the force_pubkey flag (as mentioned here: https://www.openssl.org/docs/manmaster/man1/x509.html) to sign it even if the provided public key isn't the one that belongs to the private key you used when generating the csr.
- you have your X509 with your desired public key