[openssl-users] ca's config options -certs vs. -new_certs_dir

Michael Wojcik Michael.Wojcik at microfocus.com
Wed Mar 8 21:39:19 UTC 2017

It's because processing a request can generate multiple certificates. Therefore ca needs a destination where it can write multiple certificates, not just a single one.

Note that new_certs_dir is only used if -outdir wasn't specified on the command line. You could create a temporary directory, pass its pathname with -outdir, then remove the directory and its contents after running ca.

With -out, all the certificates are just concatenated to the file. Usually they're PEM, so that's OK; the exception is if -spkac is used to specify an SPKAC file. SPKAC is mostly used in conjunction with the HTML KEYGEN element, when interpreted by Firefox and some other browsers. So you could argue that -outdir / new_certs_dir should be optional, since usually the single output file is more or less usable.

But it isn't optional, and that's life.

Of course, if you're building OpenSSL from source, it wouldn't be hard to make the necessary changes to ca.c.

Michael Wojcik
Distinguished Engineer, Micro Focus

From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Nichols, Timothy (Checkpoint)
Sent: Wednesday, March 08, 2017 13:57
To: openssl-users at openssl.org
Subject: [openssl-users] ca's config options -certs vs. -new_certs_dir

Hi, I am not understanding the point of the config file’s mandatory default –new_certs_dir into which goes what appears to be a copy of the certificate I specifically locate elsewhere in the file system. I am using the –out option from the command line to generate the file named according to the convention I have chosen…and then in the new_certs directory is deposited the <hex>.pem file. Of course, I haven’t found an explanation as to why this happens in the documentation or the Googlie.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170308/96687b52/attachment-0001.html>

More information about the openssl-users mailing list