Not updating index.txt

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Not updating index.txt

Robert Moskowitz
I started out making certs from csrs with:

openssl ca -config $dir/openssl-intermediate.cnf -extensions usr_cert
-days 375 -notext -md sha256 \
       -in $dir/csr/$clientemail.csr.$format -out
$dir/certs/$clientemail.cert.$format

And that worked well enough, but I found some limitations (DER) with it
and switched to:


    openssl x509 -req -days 375 -extfile $dir/openssl-intermediate.cnf\
        -extensions usr_cert -sha256\
        -set_serial 0x$(openssl rand -hex $sn)\
        -inform $format -in $dir/csr/$clientemail.csr.$format\
        -outform $format -out $dir/certs/$clientemail.cert.$format\
        -CAkeyform $format -CAkey $dir/private/intermediate.key.$format\
        -CAform $format -CA $dir/certs/intermediate.cert.$format

I just noticed that this format does not update the index.txt file.
Why?  What do I need to add so it does?

Bob


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Not updating index.txt

Dr. Stephen Henson
On Tue, Aug 29, 2017, Robert Moskowitz wrote:

> I started out making certs from csrs with:
>
> openssl ca -config $dir/openssl-intermediate.cnf -extensions
> usr_cert -days 375 -notext -md sha256 \
>       -in $dir/csr/$clientemail.csr.$format -out
> $dir/certs/$clientemail.cert.$format
>
> And that worked well enough, but I found some limitations (DER) with
> it and switched to:
>
>
>    openssl x509 -req -days 375 -extfile $dir/openssl-intermediate.cnf\
>        -extensions usr_cert -sha256\
>        -set_serial 0x$(openssl rand -hex $sn)\
>        -inform $format -in $dir/csr/$clientemail.csr.$format\
>        -outform $format -out $dir/certs/$clientemail.cert.$format\
>        -CAkeyform $format -CAkey $dir/private/intermediate.key.$format\
>        -CAform $format -CA $dir/certs/intermediate.cert.$format
>
> I just noticed that this format does not update the index.txt file.
> Why?  What do I need to add so it does?
>

Unlike ca the  index.txt file is not used by the x509 utility at all it also
only uses the configuration file for extensions.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Not updating index.txt

Robert Moskowitz


On 08/29/2017 07:24 PM, Dr. Stephen Henson wrote:

> On Tue, Aug 29, 2017, Robert Moskowitz wrote:
>
>> I started out making certs from csrs with:
>>
>> openssl ca -config $dir/openssl-intermediate.cnf -extensions
>> usr_cert -days 375 -notext -md sha256 \
>>        -in $dir/csr/$clientemail.csr.$format -out
>> $dir/certs/$clientemail.cert.$format
>>
>> And that worked well enough, but I found some limitations (DER) with
>> it and switched to:
>>
>>
>>     openssl x509 -req -days 375 -extfile $dir/openssl-intermediate.cnf\
>>         -extensions usr_cert -sha256\
>>         -set_serial 0x$(openssl rand -hex $sn)\
>>         -inform $format -in $dir/csr/$clientemail.csr.$format\
>>         -outform $format -out $dir/certs/$clientemail.cert.$format\
>>         -CAkeyform $format -CAkey $dir/private/intermediate.key.$format\
>>         -CAform $format -CA $dir/certs/intermediate.cert.$format
>>
>> I just noticed that this format does not update the index.txt file.
>> Why?  What do I need to add so it does?
>>
> Unlike ca the  index.txt file is not used by the x509 utility at all it also
> only uses the configuration file for extensions.

This, and what Viktor said is 'waking me up to' req is NOT a solution.

Back to ca.

thanks


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users