> On Aug 21, 2017, at 9:02 PM, Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> wrote: > > openssl x509 -req -days 3650 -extensions v3_intermediate_ca -inform $format\ > -in $dir/csr/intermediate.csr.$format -outform $format -out $dir/certs/intermediate.cert.$format\ > -CAkeyform $format -CAkey $cadir/private/ca.key.$format -CAform $format\ > -CA $cadir/certs/ca.cert.$format > > Where format=der and got that der is an invalid option. Plus the 'help' reported: It is trivial to convert a PEM certificate to DER, just pipe the output through "openssl x509 -outform DER". Mind you this is often the wrong thing to do, because the DER form of an X.509 certificate holds *exactly* one certificate, while users often need a certificate *chain*, that also includes the requisite intermediate certificates. With PEM, the certificate file can just all the certificates back to back. With DER only the EE certificate appears in the file. While PKCS#7 can hold a bunch of certificates in DER form, it is not typically used a certificate chain file by any applications, and IIRC there's no indication of which of the certificates is the end-entity certificate in a PKCS#7 file. The only widely used DER form for chains is PKCS#12 which holds the private key as well as the certificate chain, and has a mandatory passphrase. I use PKCS#12 (instead of JKS) for Java TLS server applications, set the file access mode to 0600, and since there's no point in prompting batch applications for a passphrase, set the passphrase to "umask 077", since that's the only effective protection for the private key. It is not clear that PKCS#12 is compellingly more compact than PEM, the only reason I use it is that Java supports JKS and PKCS#12, but not PEM. > Note that -CAkeyform is invalid and that -CAkey can only be PEM. As explained before, the API for DER PrivateKey objects does not support passwords, and the CLI does not have a way to indicate the use PKCS8PrivateKey instead. The PrivateKey interface can read only unencrypted PKCS#8 in PEM form. > Even when I used my pem CA key, I still got errors. -config is > not an option, where does this command get the config file from? > -extensions says it looks to the config file for that label! The config file for "x509 -req" is specified with "-extfile ...". > > SHA256 is not listed as a valid hash. Many more X.509 digest algorithms are supported in this context than (sadly) are listed in the manpage. Perhaps there should be a command that lists all supported x.509 hash algorithms, and the documentation for commands that take any of the supported algorithms can just refer the reader to the output of that command. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
