Re: Cant get openssl x509 to work as documented

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 22/08/2017 22:26, Robert Moskowitz wrote:
Want to continue this thread but with new information.  I built a Fedora-arm 26 system (on a Cubieboard2) and it has openssl version 1.1.0f

I built my DER root cert (and private key) no problem.

I built my DER Intermediate cert private key and CSR no problem.

For the following command:

sn=8
format=der
dir=/root/ca3
cadir=/root/ca3

openssl x509 -req -days 3650 -extfile $cadir/openssl-root.cnf -extensions v3_intermediate_ca\
 -sha256 -set_serial 0x$(openssl rand -hex $sn)\
 -inform $format -in $dir/csr/intermediate.csr.$format\
 -outform $format -out $dir/certs/intermediate.cert.$format\
 -CAkeyform $format -CAkey $cadir/private/ca.key.$format\
 -CAform $format -CA $cadir/certs/ca.cert.$format

I built this reading:

https://www.openssl.org/docs/man1.1.0/apps/x509.html

This generates:

3069592528:error:0906D06C:PEM routines:PEM_read_bio:no start line:crypto/pem/pem_lib.c:691:Expecting: CERTIFICATE REQUEST

The man page above has CAkeyform and CAform in the summary, but no details below.  I am ASSUMEing DER is now supported.

for -sha256, I finally figured out that -[digest] is how the the man presents which hash to use.

Why does this command use -extfile and not -config?  Is it because ALL that is taken from config is -extensions?  Confusing to the casual user.

But why the error?

And yes, I know I can convert a PEM cert to DER, but I would also have to convert the private key, and maintain duo structures in places.  Would RATHER have a parallel setup.  Of course there is the challenge of the cert chain that Viktor earlier explained. OCSP? :)


I don't think you have to pass all the various formats as PEM just
because you pass one of them as such.  After all, there are separate
-XXXform style options for most of them.

For example, you could store the CA private key in the encryption-
supporting PEM format on the plentyful memory of the SD card, while
using the more compact DER format for certificates and CSRs stored
on embedded controllers (ECUs, dashboard displays etc.).

Where OpenSSL bugs prevent use of DER for a file, it can be converted
on the fly, storing the converted file in RAM (using tmpfs or similar).


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux