[openssl-users] Cant get openssl x509 to work as documented
rgm at htt-consult.com
Tue Aug 22 20:26:57 UTC 2017
Want to continue this thread but with new information. I built a
Fedora-arm 26 system (on a Cubieboard2) and it has openssl version 1.1.0f
I built my DER root cert (and private key) no problem.
I built my DER Intermediate cert private key and CSR no problem.
For the following command:
openssl x509 -req -days 3650 -extfile $cadir/openssl-root.cnf
-sha256 -set_serial 0x$(openssl rand -hex $sn)\
-inform $format -in $dir/csr/intermediate.csr.$format\
-outform $format -out $dir/certs/intermediate.cert.$format\
-CAkeyform $format -CAkey $cadir/private/ca.key.$format\
-CAform $format -CA $cadir/certs/ca.cert.$format
I built this reading:
3069592528:error:0906D06C:PEM routines:PEM_read_bio:no start
line:crypto/pem/pem_lib.c:691:Expecting: CERTIFICATE REQUEST
The man page above has CAkeyform and CAform in the summary, but no
details below. I am ASSUMEing DER is now supported.
for -sha256, I finally figured out that -[digest] is how the the man
presents which hash to use.
Why does this command use -extfile and not -config? Is it because ALL
that is taken from config is -extensions? Confusing to the casual user.
But why the error?
And yes, I know I can convert a PEM cert to DER, but I would also have
to convert the private key, and maintain duo structures in places.
Would RATHER have a parallel setup. Of course there is the challenge of
the cert chain that Viktor earlier explained. OCSP? :)
More information about the openssl-users