[openssl-users] Another problem with openssl x509 -req -- default_enddate

Robert Moskowitz rgm at htt-consult.com
Wed Aug 30 04:17:09 UTC 2017


Viktor,

thanks for the explanation. Obviously I read more into the man that was 
really there:

https://www.openssl.org/docs/man1.1.0/apps/x509.html

So back to openssl ca and deal with no way to directly create a DER 
formatted cert.

Definitely a deficiency.

On 08/29/2017 07:25 PM, Viktor Dukhovni wrote:
> On Tue, Aug 29, 2017 at 05:36:34PM -0400, Robert Moskowitz wrote:
>
>> Another problem.  It is almost like it is not reading the CA selction?
> Not "almost", but actually as expected, since "openssl x509 -req"
> is not the ca(1) application.
>
>>     openssl x509 -req -extfile $dir/openssl-8021AR.cnf \
>>          -extensions 8021ar_idevid -days 365 -sha256 \
>>          -set_serial 0x$(openssl rand -hex $sn) \
>>          -inform $format -in $dir/csr/$DevID.csr.$format \
>>          -outform $format -out $dir/certs/$DevID.cert.$format \
>>          -CAkeyform $format -CAkey $dir/private/8021ARintermediate.key.$format \
>>          -CAform $format -CA $dir/certs/8021ARintermediate.cert.$format
>>
>> does not.  Even if I leave out the -days option.
> It just creates a signed certificate based on the command-line
> options, with only the extensions (-extfile option) read from a
> configuration file.  The only concession to ca(1)-like behaviour
> is support for a compatible serial number file (likely subject to
> race conditions absent external locks to serialize invocations).
>
>      * The version is 3, since you're using extensions
>      * The serial number is specified on the command line.
>      * The issuer DN is taken from the signing certificate.
>      * The subject DN and public key are copied from the CSR
>
> That just leaves the dates, and you get to specify the duration
> from *now* with "-days".
>
> With "x509 -req" you're building certs pretty much from the ground
> up, a short C program will do exactly the same work, and could use
> an explicit end date, rather than an increment of 'n' days from
> the present.
>



More information about the openssl-users mailing list