[openssl-users] Cant get openssl x509 to work as documented

[Robert Moskowitz]

Want to continue this thread but with new information.  I built a 
Fedora-arm 26 system (on a Cubieboard2) and it has openssl version 1.1.0f

I built my DER root cert (and private key) no problem.

I built my DER Intermediate cert private key and CSR no problem.

For the following command:

sn=8
format=der
dir=/root/ca3
cadir=/root/ca3

openssl x509 -req -days 3650 -extfile $cadir/openssl-root.cnf 
-extensions v3_intermediate_ca\
  -sha256 -set_serial 0x$(openssl rand -hex $sn)\
  -inform $format -in $dir/csr/intermediate.csr.$format\
  -outform $format -out $dir/certs/intermediate.cert.$format\
  -CAkeyform $format -CAkey $cadir/private/ca.key.$format\
  -CAform $format -CA $cadir/certs/ca.cert.$format

I built this reading:

https://www.openssl.org/docs/man1.1.0/apps/x509.html

This generates:

3069592528:error:0906D06C:PEM routines:PEM_read_bio:no start 
line:crypto/pem/pem_lib.c:691:Expecting: CERTIFICATE REQUEST

The man page above has CAkeyform and CAform in the summary, but no 
details below.  I am ASSUMEing DER is now supported.

for -sha256, I finally figured out that -[digest] is how the the man 
presents which hash to use.

Why does this command use -extfile and not -config?  Is it because ALL 
that is taken from config is -extensions?  Confusing to the casual user.

But why the error?

And yes, I know I can convert a PEM cert to DER, but I would also have 
to convert the private key, and maintain duo structures in places.  
Would RATHER have a parallel setup.  Of course there is the challenge of 
the cert chain that Viktor earlier explained.  OCSP? :)

Bob