Viktor,
On 08/30/2017 12:59 AM, Viktor Dukhovni wrote:
On Wed, Aug 30, 2017 at 12:17:09AM -0400, Robert Moskowitz wrote:
So back to openssl ca and deal with no way to directly create a DER
formatted cert.
Definitely a deficiency.
Not really a deficiency, as the certificates in question need to
be squirreled away in PEM format in the CA's "certs/" directory
(compatibility with longstanding behaviour), and are much more
easily exported, via email etc., in PEM format.
It is trivial to convert a PEM certificate to DER. Mind you,
if I wanted a specialized CA, I'd go with the C API, where
you can do *exactly* what you want:
* Store metadata in a SQL database.
* Read keys directly from PKCS8
* Write certs directly in DER form
* ...
The openssl ca(1) program is to some extent just a demo, that meets
only the simplest needs. Perhaps you were looking for a turnkey
CLI, but you have a specialized new use-case, and it is not entirely
surprising that it is not directly supported.
Patches to support missing features that might be of use to others
are welcome. The software evolves best through community participation.
I am not a coder. In fact I pretty much stopped writing code in the
'80s. I DID some programming in B on Honeywells. The only place where
B escaped Bell Labs. I never got to C; moved on to other IT support
work, then to coding standards in English...
I have some limited scripting skills.
So as much as would like to contribute code, with maybe 2 years to
retirement, I am not going to pick it up. But who knows, maybe I will
take a C programming course as part of my retirement activities.
I kind-of slept on this issue. I know that I can convert a PEM cert to
DER, but I have been thinking about 'what of the other portions, like
the keypair file?' I woke up a little clearer head, and realized, that
a truly constrained device won't even bother with DER, but just store
the raw keypair. So doing the creation all PEM and converting what is
needed as DER to DER may be a realistic approach.
thanks for your help on this.
Bob
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
