[openssl-users] ca's config options -certs vs. -new_certs_dir

Nichols, Timothy (Checkpoint) Timothy.Nichols at va.gov
Fri Mar 31 19:44:56 UTC 2017

Thank you, sir. I was attacking this from the standpoint of needing to generate several thousand certificates for testing purposes and so unique certificates went to unique files. I think I must have used -out by itself, though I believe I tried the -outdir option at the end when I tried to tighten up my script.

I didn't think when I undertook this effort that it would turn into such a slog wherein I'd need to understand all this minutia. Now, much to my surprise, I love this stuff...


From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Michael Wojcik
Sent: Wednesday, March 08, 2017 13:39
To: openssl-users at openssl.org
Subject: [EXTERNAL] Re: [openssl-users] ca's config options -certs vs. -new_certs_dir

It's because processing a request can generate multiple certificates. Therefore ca needs a destination where it can write multiple certificates, not just a single one.

Note that new_certs_dir is only used if -outdir wasn't specified on the command line. You could create a temporary directory, pass its pathname with -outdir, then remove the directory and its contents after running ca.

With -out, all the certificates are just concatenated to the file. Usually they're PEM, so that's OK; the exception is if -spkac is used to specify an SPKAC file. SPKAC is mostly used in conjunction with the HTML KEYGEN element, when interpreted by Firefox and some other browsers. So you could argue that -outdir / new_certs_dir should be optional, since usually the single output file is more or less usable.

But it isn't optional, and that's life.

Of course, if you're building OpenSSL from source, it wouldn't be hard to make the necessary changes to ca.c.

Michael Wojcik
Distinguished Engineer, Micro Focus

From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Nichols, Timothy (Checkpoint)
Sent: Wednesday, March 08, 2017 13:57
To: openssl-users at openssl.org<mailto:openssl-users at openssl.org>
Subject: [openssl-users] ca's config options -certs vs. -new_certs_dir

Hi, I am not understanding the point of the config file's mandatory default -new_certs_dir into which goes what appears to be a copy of the certificate I specifically locate elsewhere in the file system. I am using the -out option from the command line to generate the file named according to the convention I have chosen...and then in the new_certs directory is deposited the <hex>.pem file. Of course, I haven't found an explanation as to why this happens in the documentation or the Googlie.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170331/aeb84646/attachment.html>

More information about the openssl-users mailing list