PKCS#10 CSR generation and bulky crypto library - Re: Questions about legacy apps/req.c code

Philip Prindeville philipp_subx at
Wed Dec 22 21:33:30 UTC 2021

> On Dec 22, 2021, at 2:18 PM, Jordan Brown <openssl at> wrote:
> On 12/22/2021 11:45 AM, David von Oheimb wrote:
>> Yet beware that a general-purpose library function that has (at least) the flexibility offered by that app would need a non-trivial set of parameters.
> I suspect that it would end up looking a lot like the existing API.  There might be a few shortcuts possible, but fundamentally you need to set a significant (and variable) number of parameters.  The straightforward way to do that is with a "create object" function and "set parameter into object" functions - and some of those parameters themselves need a similar set of functions.
> The existing API isn't bad, once you figure out how to use it.  It's been several years since I wrote a CSR generator and so I don't remember how I figured it out, but I think I might have had to look at req.c rather than finding documentation.

Should supporting openssl.cnf be part of the library API, or externally handled in the command-line utility where it then passes in the values extracted from that file?

I'm inclined to KISS and going with the latter.


More information about the openssl-users mailing list