On Wed, Aug 30, 2017 at 12:17:09AM -0400, Robert Moskowitz wrote: > So back to openssl ca and deal with no way to directly create a DER > formatted cert. > > Definitely a deficiency. Not really a deficiency, as the certificates in question need to be squirreled away in PEM format in the CA's "certs/" directory (compatibility with longstanding behaviour), and are much more easily exported, via email etc., in PEM format. It is trivial to convert a PEM certificate to DER. Mind you, if I wanted a specialized CA, I'd go with the C API, where you can do *exactly* what you want: * Store metadata in a SQL database. * Read keys directly from PKCS8 * Write certs directly in DER form * ... The openssl ca(1) program is to some extent just a demo, that meets only the simplest needs. Perhaps you were looking for a turnkey CLI, but you have a specialized new use-case, and it is not entirely surprising that it is not directly supported. Patches to support missing features that might be of use to others are welcome. The software evolves best through community participation. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
