ca's config options -certs vs. -new_certs_dir

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

ca's config options -certs vs. -new_certs_dir

TimN

Hi, I am not understanding the point of the config file’s mandatory default –new_certs_dir into which goes what appears to be a copy of the certificate I specifically locate elsewhere in the file system. I am using the –out option from the command line to generate the file named according to the convention I have chosen…and then in the new_certs directory is deposited the <hex>.pem file. Of course, I haven’t found an explanation as to why this happens in the documentation or the Googlie.

 

Thanks,

 

Tim


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ca's config options -certs vs. -new_certs_dir

Michael Wojcik

It's because processing a request can generate multiple certificates. Therefore ca needs a destination where it can write multiple certificates, not just a single one.

 

Note that new_certs_dir is only used if -outdir wasn't specified on the command line. You could create a temporary directory, pass its pathname with -outdir, then remove the directory and its contents after running ca.

 

With -out, all the certificates are just concatenated to the file. Usually they're PEM, so that's OK; the exception is if -spkac is used to specify an SPKAC file. SPKAC is mostly used in conjunction with the HTML KEYGEN element, when interpreted by Firefox and some other browsers. So you could argue that -outdir / new_certs_dir should be optional, since usually the single output file is more or less usable.

 

But it isn't optional, and that's life.

 

Of course, if you're building OpenSSL from source, it wouldn't be hard to make the necessary changes to ca.c.

 

Michael Wojcik
Distinguished Engineer, Micro Focus

 

 

 

From: openssl-users [mailto:[hidden email]] On Behalf Of Nichols, Timothy (Checkpoint)
Sent: Wednesday, March 08, 2017 13:57
To: [hidden email]
Subject: [openssl-users] ca's config options -certs vs. -new_certs_dir

 

Hi, I am not understanding the point of the config file’s mandatory default –new_certs_dir into which goes what appears to be a copy of the certificate I specifically locate elsewhere in the file system. I am using the –out option from the command line to generate the file named according to the convention I have chosen…and then in the new_certs directory is deposited the <hex>.pem file. Of course, I haven’t found an explanation as to why this happens in the documentation or the Googlie.

 

Thanks,

 

Tim


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ca's config options -certs vs. -new_certs_dir

TimN

Thank you, sir. I was attacking this from the standpoint of needing to generate several thousand certificates for testing purposes and so unique certificates went to unique files. I think I must have used –out by itself, though I believe I tried the –outdir option at the end when I tried to tighten up my script.

 

I didn’t think when I undertook this effort that it would turn into such a slog wherein I’d need to understand all this minutia. Now, much to my surprise, I love this stuff…

 

-TN

 

From: openssl-users [mailto:[hidden email]] On Behalf Of Michael Wojcik
Sent: Wednesday, March 08, 2017 13:39
To: [hidden email]
Subject: [EXTERNAL] Re: [openssl-users] ca's config options -certs vs. -new_certs_dir

 

It's because processing a request can generate multiple certificates. Therefore ca needs a destination where it can write multiple certificates, not just a single one.

 

Note that new_certs_dir is only used if -outdir wasn't specified on the command line. You could create a temporary directory, pass its pathname with -outdir, then remove the directory and its contents after running ca.

 

With -out, all the certificates are just concatenated to the file. Usually they're PEM, so that's OK; the exception is if -spkac is used to specify an SPKAC file. SPKAC is mostly used in conjunction with the HTML KEYGEN element, when interpreted by Firefox and some other browsers. So you could argue that -outdir / new_certs_dir should be optional, since usually the single output file is more or less usable.

 

But it isn't optional, and that's life.

 

Of course, if you're building OpenSSL from source, it wouldn't be hard to make the necessary changes to ca.c.

 

Michael Wojcik
Distinguished Engineer, Micro Focus

 

 

 

From: openssl-users [[hidden email]] On Behalf Of Nichols, Timothy (Checkpoint)
Sent: Wednesday, March 08, 2017 13:57
To: [hidden email]
Subject: [openssl-users] ca's config options -certs vs. -new_certs_dir

 

Hi, I am not understanding the point of the config file’s mandatory default –new_certs_dir into which goes what appears to be a copy of the certificate I specifically locate elsewhere in the file system. I am using the –out option from the command line to generate the file named according to the convention I have chosen…and then in the new_certs directory is deposited the <hex>.pem file. Of course, I haven’t found an explanation as to why this happens in the documentation or the Googlie.

 

Thanks,

 

Tim


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Loading...