Want to continue this thread but with new information. I built a
Fedora-arm 26 system (on a Cubieboard2) and it has openssl version 1.1.0f
I built my DER root cert (and private key) no problem.
I built my DER Intermediate cert private key and CSR no problem.
For the following command:
sn=8
format=der
dir=/root/ca3
cadir=/root/ca3
openssl x509 -req -days 3650 -extfile $cadir/openssl-root.cnf
-extensions v3_intermediate_ca\
-sha256 -set_serial 0x$(openssl rand -hex $sn)\
-inform $format -in $dir/csr/intermediate.csr.$format\
-outform $format -out $dir/certs/intermediate.cert.$format\
-CAkeyform $format -CAkey $cadir/private/ca.key.$format\
-CAform $format -CA $cadir/certs/ca.cert.$format
I built this reading:
https://www.openssl.org/docs/man1.1.0/apps/x509.html
This generates:
3069592528:error:0906D06C:PEM routines:PEM_read_bio:no start
line:crypto/pem/pem_lib.c:691:Expecting: CERTIFICATE REQUEST
The man page above has CAkeyform and CAform in the summary, but no
details below. I am ASSUMEing DER is now supported.
for -sha256, I finally figured out that -[digest] is how the the man
presents which hash to use.
Why does this command use -extfile and not -config? Is it because ALL
that is taken from config is -extensions? Confusing to the casual user.
But why the error?
And yes, I know I can convert a PEM cert to DER, but I would also have
to convert the private key, and maintain duo structures in places.
Would RATHER have a parallel setup. Of course there is the challenge of
the cert chain that Viktor earlier explained. OCSP? :)
Bob
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users