Make a csr if there's not a root

cmd/step-pkcs11-init/main.go

@@ -358,6 +358,7 @@ func createPKI(k kms.KeyManager, c Config) error {
 	// Intermediate Certificate
 	var keyName string
 	var publicKey crypto.PublicKey
+	var intSigner crypto.Signer
 	if c.CrtKeyPath != "" {
 		priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 		if err != nil {
@@ -376,6 +377,7 @@ func createPKI(k kms.KeyManager, c Config) error {
 		}
 
 		publicKey = priv.Public()
+		intSigner = priv
 	} else {
 		resp, err := k.CreateKey(&apiv1.CreateKeyRequest{
 			Name:               c.CrtKeyObject,
@@ -387,8 +389,14 @@ func createPKI(k kms.KeyManager, c Config) error {
 		}
 		publicKey = resp.PublicKey
 		keyName = resp.Name
+
+		intSigner, err = k.CreateSigner(&resp.CreateSignerRequest)
+		if err != nil {
+			return err
+		}
 	}
 
+	if root != nil {
 		template := &x509.Certificate{
 			IsCA:                  true,
 			NotBefore:             now,
@@ -429,6 +437,23 @@ func createPKI(k kms.KeyManager, c Config) error {
 		}), 0600); err != nil {
 			return err
 		}
+	} else { // No root available, generate CSR for external root.
+		csrTemplate := x509.CertificateRequest{
+			Subject:            pkix.Name{CommonName: c.CrtSubject},
+			SignatureAlgorithm: x509.ECDSAWithSHA256,
+		}
+		// step: generate the csr request
+		csrCertificate, err := x509.CreateCertificateRequest(rand.Reader, &csrTemplate, intSigner)
+		if err != nil {
+			return err
+		}
+		if err := fileutil.WriteFile(c.CrtPath, pem.EncodeToMemory(&pem.Block{
+			Type:  "CERTIFICATE REQUEST",
+			Bytes: csrCertificate,
+		}), 0600); err != nil {
+			return err
+		}
+	}
 
 	if c.CrtKeyPath != "" {
 		ui.PrintSelected("Intermediate Key", c.CrtKeyPath)