On Tue, Aug 29, 2017 at 05:36:34PM -0400, Robert Moskowitz wrote: > Another problem. It is almost like it is not reading the CA selction? Not "almost", but actually as expected, since "openssl x509 -req" is not the ca(1) application. > openssl x509 -req -extfile $dir/openssl-8021AR.cnf \ > -extensions 8021ar_idevid -days 365 -sha256 \ > -set_serial 0x$(openssl rand -hex $sn) \ > -inform $format -in $dir/csr/$DevID.csr.$format \ > -outform $format -out $dir/certs/$DevID.cert.$format \ > -CAkeyform $format -CAkey $dir/private/8021ARintermediate.key.$format \ > -CAform $format -CA $dir/certs/8021ARintermediate.cert.$format > > does not. Even if I leave out the -days option. It just creates a signed certificate based on the command-line options, with only the extensions (-extfile option) read from a configuration file. The only concession to ca(1)-like behaviour is support for a compatible serial number file (likely subject to race conditions absent external locks to serialize invocations). * The version is 3, since you're using extensions * The serial number is specified on the command line. * The issuer DN is taken from the signing certificate. * The subject DN and public key are copied from the CSR That just leaves the dates, and you get to specify the duration from *now* with "-days". With "x509 -req" you're building certs pretty much from the ground up, a short C program will do exactly the same work, and could use an explicit end date, rather than an increment of 'n' days from the present. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users