Topic: Signing a CSR

Hello all,
So, I can create a CA owned by us, effectively making us a small CA.

I would like to use it to sign a certificate.  Specifically a CSR generated by Wolf, and kept inside a device.

How would I do that in Wolf?  ...programmatically.

Use Case:
A standalone device would allow the user to download and install our private CA.

Then they would generate a new cert on the fly which would store in the device and be used to allow HTTPS connections.

A server (in the standalone device) would use the certificate and the browser would verify the signing against it's CA's.

The goal is to avoid loading all CA's to the standalone device and having a business install their official certificate and keys on the device.

I hope I understand this correctly and this makes sense.


<Code shown is not to scale>


Re: Signing a CSR

Hi Scott,

We have several CSR generation and signing examples here: … er/certgen

The device would have a copy of the CA certificate (public info) to define as "trusted" to validate the peer.

A device would either have a key provisioned at factory or generate one and then generate a CSR for signing by a CA. A certificate is based on a key either RSA or ECC typically. During a TLS connection the certificate is presented and the key associated with it signs data to validate they own the key.

On the CA signing side we have some good scripts here: …

Let me know if you have any issues or questions.

David Garske, wolfSSL