Hello
I am looking to clarify some conceptual and practical questions I've accumulated while trying to configure a private 'Root CA - Intermediate CA - Server' setup. Most of my confusion revolves around the configuration of the Intermediate CA due to its role as both a requester and a provider of certificates.
The first and perhaps most fundamental thing unclear to me is what the configuration and extensions (provided via -config and -extensions arguments) actually configure and extend. For instance, does `default_ca` specify the parameters of the CA I'm operating, or the CA I'm requesting a certificate from? Does the `[req]` section configure the requests I create or the way I process others' requests (and so the certificates I output)? To further the confusion, the `copy_extensions` setting seems to imply that the extensions exist on both the CA and the requester side!
Secondly, how is the absence of a configuration field/section/extension handled? Does it default to some value (e.g. from /etc/ssl/openssl.cnf) or simply remain empty? For example, if I have no interest in OCSP functionality, is the non-provision of all of the related fields enough to prevent my certificates being declared invalid because CRL requests fail?
Thirdly, I would like to understand the difference between the 'digest' and the 'cipher' and what roles they perform in the communication process, especially in relation to the actual signing algorithm. As an aside: I've noticed that using any of the `sha3-*` digests somehow prevents Windows 10 from verifying my certificates.
Onto more practical concerns, I am thoroughly confused by how many OpenSSL tools seemingly perform the same tasks. For example, one can generate a certificate using any one of `req`, `ca`, and `x509 -req`. I understand that some of these have additional functionality, such as generating key, CSR, and certificate all at once, so I would like to know what the go-to lowest-level, DOTADIW tools are for these purposes. At the moment, I am using `genpkey` for, well, private key generation, and `req -new` for the CSR.
Finally, if anyone happens to be in possession of an exhaustive configuration file that includes all possible sections and fields supported by OpenSSL, I would very much appreciate a copy!
I hope I've managed to present my questions clearly enough, but would be happy to provide clarifications if needed.
Thanks
---------
“The nice thing about standards is that there are so many to choose from”
— Andrew S. Tanenbaum
I am looking to clarify some conceptual and practical questions I've accumulated while trying to configure a private 'Root CA - Intermediate CA - Server' setup. Most of my confusion revolves around the configuration of the Intermediate CA due to its role as both a requester and a provider of certificates.
The first and perhaps most fundamental thing unclear to me is what the configuration and extensions (provided via -config and -extensions arguments) actually configure and extend. For instance, does `default_ca` specify the parameters of the CA I'm operating, or the CA I'm requesting a certificate from? Does the `[req]` section configure the requests I create or the way I process others' requests (and so the certificates I output)? To further the confusion, the `copy_extensions` setting seems to imply that the extensions exist on both the CA and the requester side!
Secondly, how is the absence of a configuration field/section/extension handled? Does it default to some value (e.g. from /etc/ssl/openssl.cnf) or simply remain empty? For example, if I have no interest in OCSP functionality, is the non-provision of all of the related fields enough to prevent my certificates being declared invalid because CRL requests fail?
Thirdly, I would like to understand the difference between the 'digest' and the 'cipher' and what roles they perform in the communication process, especially in relation to the actual signing algorithm. As an aside: I've noticed that using any of the `sha3-*` digests somehow prevents Windows 10 from verifying my certificates.
Onto more practical concerns, I am thoroughly confused by how many OpenSSL tools seemingly perform the same tasks. For example, one can generate a certificate using any one of `req`, `ca`, and `x509 -req`. I understand that some of these have additional functionality, such as generating key, CSR, and certificate all at once, so I would like to know what the go-to lowest-level, DOTADIW tools are for these purposes. At the moment, I am using `genpkey` for, well, private key generation, and `req -new` for the CSR.
Finally, if anyone happens to be in possession of an exhaustive configuration file that includes all possible sections and fields supported by OpenSSL, I would very much appreciate a copy!
I hope I've managed to present my questions clearly enough, but would be happy to provide clarifications if needed.
Thanks
---------
“The nice thing about standards is that there are so many to choose from”
— Andrew S. Tanenbaum
