[openssl-users] Is there a "Golden" CA makefile?

Jakob Bohm jb-openssl at wisemo.com
Wed May 3 02:18:36 UTC 2017

On 30/04/2017 13:52, Jochen Bern wrote:
> On 04/29/2017 09:55 PM, John Lewis got digested:
>> I am looking for a CA makefile to use with a openvpn tutorial I am
>> writing https://github.com/Oflameo/openvpn_ws. Is there one officially
>> endorsed by the openssl project?
> Since you're specifically mentioning Open*VPN*, let me mention that
> EasyRSA is a spin-off of that project. Not makefiles based, and working
> with sub-CAs certainly isn't easy (though *possible* with version 3),
> but if you want to see how the OpenVPN people think "their" CAs *should*
> be run, that's what I'ld suggest to look at.
> In a more general sense, the policies and technical limitations of CAs
> vary too much for their operators to even agree on what color gold has,
> I guess ...
> (Not-quite-random example: Out of the box, OpenSSL dislikes CAs issuing
> same-DN certs with overlapping validity periods. OpenVPN, again out of
> the box, bases the mechanism of peer-specific configs on the CN. So if
> you want to renew the cert of some device you're managing remotely
> *through* the very VPN, you may(*) have an interest to *defeat* the
> OpenSSL behavior, so as to issue the new cert before the old one expires
> and saws off the branch you're adminning from.
> (*) Of course, there *are* other techniques to work around the problem,
> but.)

Not as much "defeat", as setting the relevant option by adding the
following command during CA (and SubCA) setup:

   echo "unique_subject = no" > ${CADIR}/db/index.attr


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list