It's because processing a request can generate multiple certificates. Therefore ca needs a destination where it can write multiple certificates, not just a single one. Note that new_certs_dir is only used if -outdir wasn't specified on the command line. You could create a temporary directory, pass its pathname with -outdir, then remove the directory and its contents after running
ca. With -out, all the certificates are just concatenated to the file. Usually they're PEM, so that's OK; the exception is if -spkac is used to specify an SPKAC file. SPKAC is mostly used in conjunction with the
HTML KEYGEN element, when interpreted by Firefox and some other browsers. So you could argue that -outdir / new_certs_dir should be optional, since usually the single output file is more or less usable. But it isn't optional, and that's life. Of course, if you're building OpenSSL from source, it wouldn't be hard to make the necessary changes to ca.c. Michael Wojcik
From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx]
On Behalf Of Nichols, Timothy (Checkpoint) Hi, I am not understanding the point of the config file’s mandatory default –new_certs_dir into which goes what appears to be a copy of the certificate I specifically locate elsewhere in the file system. I am using the –out option from
the command line to generate the file named according to the convention I have chosen…and then in the new_certs directory is deposited the <hex>.pem file. Of course, I haven’t found an explanation as to why this happens in the documentation or the Googlie. Thanks, Tim |
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users