CA/Server configuration

Cyprus Socialite cyprussocialite at
Thu Sep 29 17:07:19 UTC 2022


I am looking to clarify some conceptual and practical questions I've
accumulated while trying to configure a private 'Root CA - Intermediate CA
- Server' setup. Most of my confusion revolves around the configuration of
the Intermediate CA due to its role as both a requester and a provider of

The first and perhaps most fundamental thing unclear to me is *what* the
configuration and extensions (provided via -config and -extensions
arguments) actually configure and extend. For instance, does `default_ca`
specify the parameters of the CA I'm operating, or the CA I'm requesting a
certificate from? Does the `[req]` section configure the requests I create
or the way I process others' requests (and so the certificates I output)?
To further the confusion, the `copy_extensions` setting seems to imply that
the extensions exist on both the CA and the requester side!

Secondly, how is the absence of a configuration field/section/extension
handled? Does it default to some value (e.g. from /etc/ssl/openssl.cnf) or
simply remain empty? For example, if I have no interest in OCSP
functionality, is the non-provision of all of the related fields enough to
prevent my certificates being declared invalid because CRL requests fail?

Thirdly, I would like to understand the difference between the 'digest' and
the 'cipher' and what roles they perform in the communication process,
especially in relation to the actual signing algorithm. As an aside: I've
noticed that using any of the `sha3-*` digests somehow prevents Windows 10
from verifying my certificates.

Onto more practical concerns, I am thoroughly confused by how many OpenSSL
tools seemingly perform the same tasks. For example, one can generate a
certificate using any one of `req`, `ca`, and `x509 -req`. I understand
that some of these have additional functionality, such as generating key,
CSR, and certificate all at once, so I would like to know what the go-to
lowest-level, DOTADIW tools are for these purposes. At the moment, I am
using `genpkey` for, well, private key generation, and `req -new` for the

Finally, if anyone happens to be in possession of an exhaustive
configuration file that includes *all* possible sections and fields
supported by OpenSSL, I would very much appreciate a copy!

I hope I've managed to present my questions clearly enough, but would be
happy to provide clarifications if needed.



“*The nice thing about standards is that there are so many to choose from*”
— Andrew S. Tanenbaum
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list