On Thursday 14 January 2016 11:17:48 Mauro Romano Trajber wrote: > There's any advantage to use ca command instead x509 command? Why there's > two different ways to sign a certificate request? The x509 command is simply there to generate/manipulate X.509 format certificates. The ca command operates as a very basic CA and does things like keep track of issued certificates (for revocation at a later date) and manages certificate serial numbers (increments them by one), manages which extensions are applied to the signed certificate (such as SAN extension). There is more to operating a CA than signing certificates. The openssl ca command attempts to operate as a very basic CA but even the documentation admits that it is only for testing/development/experimenting and not for real world use where the trust derived from certificates has some real value. > > On Thu, Jan 14, 2016 at 11:08 AM, Gareth Williams < > > gareth at garethwilliams.me.uk> wrote: > > On Thursday 14 January 2016 10:59:01 Mauro Romano Trajber wrote: > > > Could you send me the ca command line? There's any way to run it without > > > creating a .cnf - using only <(print notation? > > > > To be honest, I don't know whether you could run it purely from the > > command > > line without a config file as there are many configuration options needed > > to > > operate openssl as a CA. Saying that, defaults values may work for many > > of > > those. > > > > Instead, I use a simple bash script (which I don't have to hand I'm afraid > > - > > at work) which uses a heredoc to echo a configuration to a temp file which > > is > > then used with the openssl ca command, before being deleted afterwards. > > > > If you're interested, I can dig it out later. > > > > > On Thu, Jan 14, 2016 at 6:07 AM, Gareth Williams < > > > > > > gareth at garethwilliams.me.uk> wrote: > > > > On Wednesday 13 January 2016 16:22:10 Mauro Romano Trajber > > > > > > > > wrote: > > > > > In which section? > > > > > > > > > > On section [CA_default] I have 'copy_extensions = copy' > > > > > > > > Is that the issue? You have copy_extensions in the CA_default > > > > section, which is no doubt referenced to by the default_ca = ... > > > > stanza > > > > earlier in the config file. > > > > > > > > My understanding is that this is only read when you use the openssl > > > > ca command. As you stated you're using the openssl x509 command > > > > to sign your request, then this isn't being read. > > > > > > > > Any reason you're not signing with the openssl ca command? I've just > > > > checked and it works as you expected when using this command. > > > > > > > > Kind regards, > > > > > > > > Gareth > > > > > > > > > Can I do this using only command line options? > > > > > > > > > > On Wed, Jan 13, 2016 at 3:42 PM, Salz, Rich <rsalz at akamai.com> > > > > > > > > wrote: > > > > > > >But when I try to sign it using my own CA using the x509 > > > > > > > > command this > > > > > > > > > > data is removed > > > > > > > > > > > > You need to make sure that subjectAltName is marked as copy in > > > > > > > > your config > > > > > > > > > > file. > > > > > > _______________________________________________ > > > > > > openssl-users mailing list > > > > > > > > To unsubscribe: > > https://mta.openssl.org/mailman/listinfo/openssl-users > > > > > > _______________________________________________ > > > > openssl-users mailing list > > > > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > > > _______________________________________________ > > openssl-users mailing list > > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
