Re: Another problem with openssl x509 -req -- default_enddate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Aug 29, 2017 at 05:36:34PM -0400, Robert Moskowitz wrote:

> Another problem.  It is almost like it is not reading the CA selction?

Not "almost", but actually as expected, since "openssl x509 -req"
is not the ca(1) application.

>    openssl x509 -req -extfile $dir/openssl-8021AR.cnf \
>         -extensions 8021ar_idevid -days 365 -sha256 \
>         -set_serial 0x$(openssl rand -hex $sn) \
>         -inform $format -in $dir/csr/$DevID.csr.$format \
>         -outform $format -out $dir/certs/$DevID.cert.$format \
>         -CAkeyform $format -CAkey $dir/private/8021ARintermediate.key.$format \
>         -CAform $format -CA $dir/certs/8021ARintermediate.cert.$format
> 
> does not.  Even if I leave out the -days option.

It just creates a signed certificate based on the command-line
options, with only the extensions (-extfile option) read from a
configuration file.  The only concession to ca(1)-like behaviour
is support for a compatible serial number file (likely subject to
race conditions absent external locks to serialize invocations).

    * The version is 3, since you're using extensions
    * The serial number is specified on the command line.
    * The issuer DN is taken from the signing certificate.
    * The subject DN and public key are copied from the CSR

That just leaves the dates, and you get to specify the duration
from *now* with "-days".

With "x509 -req" you're building certs pretty much from the ground
up, a short C program will do exactly the same work, and could use
an explicit end date, rather than an increment of 'n' days from
the present.

-- 
	Viktor.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux