Hello Matthias,
this does not look like an error message. According to your
pasted output the keys have been created. I cannot tell whether
the signing request has been created, did you check this?
I'd say that this is only a warning message, notifying you that a non-functional parameter has been specified. I'd assume that your script is still working if you ignore this warning message.
IMHO it is a bug in the old version that it did not complain about the parameter. This bug seems to be fixed now.
Hope this helpsTed
--Since ages (with version 1.x) we use the following steps to generate the key material for a SSL connection between our clients and application servers (the commands with a dollar sign in front have been entered the other openssl command lines are spilled out from the tool CA.pl):
$ export LD_LIBRARY_PATH=/usr/local/sisis-pap/lib
$ export PATH=/usr/local/sisis-pap/bin:$PATH
$ export OPENSSL=/usr/local/sisis-pap/bin/openssl
$ mkdir new
$ cd new
$ /usr/local/sisis-pap/misc/CA.pl -newca
/usr/local/sisis-pap/bin/openssl req -new -keyout ./demoCA/private/cakey.pem -out ./demoCA/careq.pem
/usr/local/sisis-pap/bin/openssl ca -create_serial -out ./demoCA/cacert.pem -days 1095 -batch -keyfile ./demoCA/private/cakey.pem -selfsign -extensions v3_ca -infiles ./demoCA/careq.pem
Using configuration from /usr/local/sisis-pap/openssl.cnf
$ /usr/local/sisis-pap/misc/CA.pl -newreq/usr/local/sisis-pap/bin/openssl req -new -keyout newkey.pem -out newreq.pem -days 365
$ /usr/local/sisis-pap/misc/CA.pl -sign
/usr/local/sisis-pap/bin/openssl ca -policy policy_anything -out newcert.pem -infiles newreq.pem
Using configuration from /usr/local/sisis-pap/openssl.cnf
And now with the version 3.0.x the step -newreq gives this error messageIgnoring -days without -x509; not generating a certificate
As you can see, I didn't gave any further parameter to the tool CA.pl, only the openssl command contructed and fired-up by CA.pl says -days 365. Is this a new bug in CA.pl or what is causing this?
Matthias
--Martin Bonner schrieb am Mittwoch, 29. Januar 2025 um 14:48:02 UTC+1:
“-days” specifies how long the certificate should be valid for – but you haven’t asked to generate a certificate so openssl just ignores “-days”
Martin Bonner
From: openss...@xxxxxxxxxxx <openss...@xxxxxxxxxxx> On Behalf Of Matthias Apitz
Sent: 29 January 2025 13:24
To: openssl-users <openss...@xxxxxxxxxxx>
Cc: Matthias Apitz <gu...@xxxxxxxxxxx>
Subject: [EXTERNAL] CA.pl error message: Ignoring -days without -x509; not generating a certificate
This is with OpenSSL: openssl version OpenSSL 3. 0. 12 24 Oct 2023 (Library: OpenSSL 3. 0. 12 24 Oct 2023) I generate kex material with CA. pl like: CA. pl -newreq ==== /usr/local/sisis-pap/bin/openssl req -new -keyout newkey. pem -out newreq. pem
This is with OpenSSL:
openssl version
OpenSSL 3.0.12 24 Oct 2023 (Library: OpenSSL 3.0.12 24 Oct 2023)
I generate kex material with CA.pl like:
CA.pl -newreq
====
/usr/local/sisis-pap/bin/openssl req -new -keyout newkey.pem -out newreq.pem -days 3650
Ignoring -days without -x509; not generating a certificate
Generating a 2048 bit RSA private key
.....................+++...
What does this error message mean?
Matthias
Btw:
I read the announcement on July 17, 2024 that the mailing list now moved to here, to Google Groups. IMHO, a very bad idea. Now I can just glance through my mails to see if there is someting of interest for me or my work. I now have to go to here and check this from time to time. Mails I get even when I'm on the road on my Linux cellphone...
Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.--
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-user...@xxxxxxxxxxx.
To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/8c0faf99-f730-4f4a-98f2-aeadb5682b22n%40openssl.org.
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-users+unsubscribe@xxxxxxxxxxx.
To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/2dbd2d17-d60a-4ff5-b6ae-d16beb8d28e3n%40openssl.org.
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-users+unsubscribe@xxxxxxxxxxx.
To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/47cd352a-b6e6-473d-b6d1-ea0e09c97594%40convey.de.
