<div dir="ltr"><div>There's any advantage to use ca command instead x509 command? Why there's two different ways to sign a certificate request?<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jan 14, 2016 at 11:08 AM, Gareth Williams <span dir="ltr"><<a href="mailto:gareth@garethwilliams.me.uk" target="_blank">gareth@garethwilliams.me.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Thursday 14 January 2016 10:59:01 Mauro Romano Trajber wrote:<br>
> Could you send me the ca command line? There's any way to run it without<br>
> creating a .cnf - using only <(print notation?<br>
<br>
</span>To be honest, I don't know whether you could run it purely from the command<br>
line without a config file as there are many configuration options needed to<br>
operate openssl as a CA. Saying that, defaults values may work for many of<br>
those.<br>
<br>
Instead, I use a simple bash script (which I don't have to hand I'm afraid -<br>
at work) which uses a heredoc to echo a configuration to a temp file which is<br>
then used with the openssl ca command, before being deleted afterwards.<br>
<br>
If you're interested, I can dig it out later.<br>
<div class="HOEnZb"><div class="h5"><br>
><br>
> On Thu, Jan 14, 2016 at 6:07 AM, Gareth Williams <<br>
><br>
> <a href="mailto:gareth@garethwilliams.me.uk">gareth@garethwilliams.me.uk</a>> wrote:<br>
> > On Wednesday 13 January 2016 16:22:10 Mauro Romano Trajber<br>
> ><br>
> > wrote:<br>
> > > In which section?<br>
> > ><br>
> > > On section [CA_default] I have 'copy_extensions = copy'<br>
> ><br>
> > Is that the issue? You have copy_extensions in the CA_default<br>
> > section, which is no doubt referenced to by the default_ca = ... stanza<br>
> > earlier in the config file.<br>
> ><br>
> > My understanding is that this is only read when you use the openssl<br>
> > ca command. As you stated you're using the openssl x509 command<br>
> > to sign your request, then this isn't being read.<br>
> ><br>
> > Any reason you're not signing with the openssl ca command? I've just<br>
> > checked and it works as you expected when using this command.<br>
> ><br>
> > Kind regards,<br>
> ><br>
> > Gareth<br>
> ><br>
> > > Can I do this using only command line options?<br>
> > ><br>
> > > On Wed, Jan 13, 2016 at 3:42 PM, Salz, Rich <<a href="mailto:rsalz@akamai.com">rsalz@akamai.com</a>><br>
> ><br>
> > wrote:<br>
> > > > >But when I try to sign it using my own CA using the x509<br>
> ><br>
> > command this<br>
> ><br>
> > > > data is removed<br>
> > > ><br>
> > > > You need to make sure that subjectAltName is marked as copy in<br>
> ><br>
> > your config<br>
> ><br>
> > > > file.<br>
> > > > _______________________________________________<br>
> > > > openssl-users mailing list<br>
> > > > To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
> ><br>
> > _______________________________________________<br>
> > openssl-users mailing list<br>
> > To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
<br>
_______________________________________________<br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
</div></div></blockquote></div><br></div>