[openssl-users] Cant get openssl x509 to work as documented

Wed Aug 23 20:54:11 UTC 2017

On 08/23/2017 03:52 PM, Jakob Bohm wrote:
> On 22/08/2017 22:26, Robert Moskowitz wrote:
>> Want to continue this thread but with new information.  I built a 
>> Fedora-arm 26 system (on a Cubieboard2) and it has openssl version 
>> 1.1.0f
>>
>> I built my DER root cert (and private key) no problem.
>>
>> I built my DER Intermediate cert private key and CSR no problem.
>>
>> For the following command:
>>
>> sn=8
>> format=der
>> dir=/root/ca3
>> cadir=/root/ca3
>>
>> openssl x509 -req -days 3650 -extfile $cadir/openssl-root.cnf 
>> -extensions v3_intermediate_ca\
>>  -sha256 -set_serial 0x$(openssl rand -hex $sn)\
>>  -inform $format -in $dir/csr/intermediate.csr.$format\
>>  -outform $format -out $dir/certs/intermediate.cert.$format\
>>  -CAkeyform $format -CAkey $cadir/private/ca.key.$format\
>>  -CAform $format -CA $cadir/certs/ca.cert.$format
>>
>> I built this reading:
>>
>> https://www.openssl.org/docs/man1.1.0/apps/x509.html
>>
>> This generates:
>>
>> 3069592528:error:0906D06C:PEM routines:PEM_read_bio:no start 
>> line:crypto/pem/pem_lib.c:691:Expecting: CERTIFICATE REQUEST
>>
>> The man page above has CAkeyform and CAform in the summary, but no 
>> details below.  I am ASSUMEing DER is now supported.
>>
>> for -sha256, I finally figured out that -[digest] is how the the man 
>> presents which hash to use.
>>
>> Why does this command use -extfile and not -config?  Is it because 
>> ALL that is taken from config is -extensions?  Confusing to the 
>> casual user.
>>
>> But why the error?
>>
>> And yes, I know I can convert a PEM cert to DER, but I would also 
>> have to convert the private key, and maintain duo structures in 
>> places.  Would RATHER have a parallel setup.  Of course there is the 
>> challenge of the cert chain that Viktor earlier explained. OCSP? :)
>>
>>
> I don't think you have to pass all the various formats as PEM just
> because you pass one of them as such.  After all, there are separate
> -XXXform style options for most of them.
>
> For example, you could store the CA private key in the encryption-
> supporting PEM format on the plentyful memory of the SD card, while
> using the more compact DER format for certificates and CSRs stored
> on embedded controllers (ECUs, dashboard displays etc.).
>
> Where OpenSSL bugs prevent use of DER for a file, it can be converted
> on the fly, storing the converted file in RAM (using tmpfs or similar).

I know this is an option, and if I can't get this working, then I have 
to punt.

I am considering to make the Root and Intermediate files all PEM, and 
only the EE is DER.

Should get to that tomorrow.  I would rather establish that what I tried 
above is just still not allowed, or it is a bug.

Bob