[openssl-users] Another problem with openssl x509 -req -- default_enddate

Viktor Dukhovni openssl-users at dukhovni.org
Wed Aug 30 04:59:27 UTC 2017

On Wed, Aug 30, 2017 at 12:17:09AM -0400, Robert Moskowitz wrote:

> So back to openssl ca and deal with no way to directly create a DER
> formatted cert.
> Definitely a deficiency.

Not really a deficiency, as the certificates in question need to
be squirreled away in PEM format in the CA's "certs/" directory
(compatibility with longstanding behaviour), and are much more
easily exported, via email etc., in PEM format.

It is trivial to convert a PEM certificate to DER.  Mind you,
if I wanted a specialized CA, I'd go with the C API, where
you can do *exactly* what you want:

  * Store metadata in a SQL database.
  * Read keys directly from PKCS8
  * Write certs directly in DER form
  * ...

The openssl ca(1) program is to some extent just a demo, that meets
only the simplest needs.  Perhaps you were looking for a turnkey
CLI, but you have a specialized new use-case, and it is not entirely
surprising that it is not directly supported.

Patches to support missing features that might be of use to others
are welcome.  The software evolves best through community participation.


More information about the openssl-users mailing list