|
Hello Cyprus, I’m not exactly what you’d call an expert on openssl, but I do use it frequently. There is a very good openssl wrapper project called EasyRSA that I highly recommend. We put together a very simple Certificate Authority for application
testing using this package and it made things much easier. You can find it here:
https://github.com/OpenVPN/easy-rsa Now to address your questions… First, -config allows you to specify a configuration file to use for the operation – from the OpenSsl documentation: (https://www.openssl.org/docs/man1.1.1/man1/openssl.html) Many commands use an external configuration file for some or all of their arguments and have a
-config option to specify that file. The -extensions option allows you to provide certain configuration options (called extensions) on the command line instead of in a configuration file. These extensions are typically within the realm of X509 (certificates, CSRs, CRLs and
the like). For example there is an Extended Key Usage extension - see
https://www.openssl.org/docs/man1.1.1/man5/x509v3_config.html Second, depending on the operation and the specific configuration field, the lack of a value might result in a default value being used or it might cause the absence of the resulting field in the result of the operation. For example, if
you don’t specify the digest when running openssl req it defaults to sha256 (but that also depends on the specified public key algorithm). In contrast, if you don’t specify the OCSP responder URI when signing a CSR there will not be an OCSP responder URI in
the resulting signed certificate. Is it possible to create an unusable certificate with openssl? Probably. But, in general, it’s the application that is conducting the validation of your certificates that determines whether the certificate is rejected. An application might
accept the certificate without any revocation checking extensions (CRL or OCSP) or prompt whether to trust it. I guess Windows 10 doesn’t support sha-3* digests and so rejects the certificate. Other operating systems and/or applications might very well accept
the same certificate. Third, you’ll need to throw a study on the SSL/TLS protocols to understand how ciphers and digests are used in the communication process (I’m assuming that’s what you mean by communication). Yes, there are multiple ways to perform some operations – welcome to openssl. The differences typically allow for an operation “centric” approach meaning each operation has specific defaults that may differ from other operations or one
operation might provide multiple outputs whereas another only provides one as you observed. My advice here is to choose the operation that makes the most sense with respect to the desired end result or the operation that ends up being easier for you to code
against. With respect to a configuration reference, here is my go-to:
https://www.phildev.net/ssl/opensslconf.html I don’t know whether it’s 100% complete or not but it has served me well. Cheers! -Pat From: openssl-users <openssl-users-bounces@xxxxxxxxxxx>
On Behalf Of Cyprus Socialite CAUTION: Email originated externally. Do not click links or open attachments unless you recognize the sender and know the content is safe. Hello |
