> From: openssl-users <openssl-users-bounces@xxxxxxxxxxx> On Behalf Of Dmitrii Odintcov > Sent: Sunday, 2 October, 2022 21:15 > > This is where the confusion begins: if ‘bar’, the certificate requestor, itself > wants to be a CA (basicConstraints = CA:true), I assume here you mean bar is going to be a subordinate CA for foo, or bar is a subordinate that's being cross-signed by foo. Otherwise foo issuing a CA certificate for bar doesn't make sense. Note that bar can't be a root, since it'll be signed by some entity other than itself. (A root is a self-signed CA certificate, by definition.) > then its bar.conf must answerboth sets of questions at the same time! Why? Creating a CSR and generating the certificate for it are separate operations. bar's configuration is used in creating the CSR. foo's is used in generating the certificate. > For instance, if bar wants to request its own CA certificate to be valid for > 5 years, but is only willing to issue others’ certificates for 1 year, what > should `default_days` be in bar.conf? Oh, I see, you're talking about generating bar's CSR versus signing certificates using bar. The answer is: you have two configurations, one for generating bar's CSR and the other for signing certificates using bar. Those are separate operations (obviously, since bar can't sign anything until it has its certificate), so they're not required to use the same configuration. Configuration files are tied to *operations*, not to *entities*. You use the configuration file appropriate for the operation, where an operation is something like "requesting a CSR for a subordinate CA" or "signing a certificate for a subordinate CA" or "signing a certificate for a non-CA entity". -- Michael Wojcik