[openssl-users] Another problem with openssl x509 -req -- default_enddate

Robert Moskowitz rgm at htt-consult.com
Wed Aug 30 10:03:03 UTC 2017


Viktor,

On 08/30/2017 12:59 AM, Viktor Dukhovni wrote:
> On Wed, Aug 30, 2017 at 12:17:09AM -0400, Robert Moskowitz wrote:
>
>> So back to openssl ca and deal with no way to directly create a DER
>> formatted cert.
>>
>> Definitely a deficiency.
> Not really a deficiency, as the certificates in question need to
> be squirreled away in PEM format in the CA's "certs/" directory
> (compatibility with longstanding behaviour), and are much more
> easily exported, via email etc., in PEM format.
>
> It is trivial to convert a PEM certificate to DER.  Mind you,
> if I wanted a specialized CA, I'd go with the C API, where
> you can do *exactly* what you want:
>
>    * Store metadata in a SQL database.
>    * Read keys directly from PKCS8
>    * Write certs directly in DER form
>    * ...
>
> The openssl ca(1) program is to some extent just a demo, that meets
> only the simplest needs.  Perhaps you were looking for a turnkey
> CLI, but you have a specialized new use-case, and it is not entirely
> surprising that it is not directly supported.
>
> Patches to support missing features that might be of use to others
> are welcome.  The software evolves best through community participation.

I am not a coder.  In fact I pretty much stopped writing code in the 
'80s.  I DID some programming in B on Honeywells.  The only place where 
B escaped Bell Labs.  I never got to C; moved on to other IT support 
work, then to coding standards in English...

I have some limited scripting skills.

So as much as would like to contribute code, with maybe 2 years to 
retirement, I am not going to pick it up.  But who knows, maybe I will 
take a C programming course as part of my retirement activities.

I kind-of slept on this issue. I know that I can convert a PEM cert to 
DER, but I have been thinking about 'what of the other portions, like 
the keypair file?'  I woke up a little clearer head, and realized, that 
a truly constrained device won't even bother with DER, but just store 
the raw keypair.  So doing the creation all PEM and converting what is 
needed as DER to DER may be a realistic approach.

thanks for your help on this.

Bob



More information about the openssl-users mailing list