Hi,
Working with signing of certificates and it seems that different cert
signing script are using different methods to sign.
mkcert.sh uses
openssl x509 -ext somefile -moreoptions... \
-in blah.csr -out blah.crt
sign.sh uses
openssl ca -config somefile \
-in blah.csr -out blah.crt
It seems to me that these two are doing the same things, namely using a
cert request and producing a cert based on your own CA cert. After all the
product of both processes can be verified with openssl verify -CAfiles
ca.crt certname. Is there a difference?
Related to this,
mkcert.sh uses the following for its extfile
[ req ]
default_bits = 1024
distinguished_name = req_DN
[ req_DN ]
countryName = "1. Country Name (2 letter code)"
countryName_default = XY
countryName_min = 2
.... more stuff ....
emailAddress_max = 40
emailAddress_default = [EMAIL PROTECTED]
extensions = x509v3
[ x509v3 ]
subjectAltName = email:copy
nsComment = "mod_ssl generated custom server certificate"
nsCertType = server
On the other hand sign.sh just uses this for its -config arg
[ ca ]
default_ca = CA_own
[ CA_own ]
dir = .
certs = \$dir
new_certs_dir = \$dir/ca.db.certs
database = \$dir/ca.db.index
serial = \$dir/ca.db.serial
RANDFILE = \$dir/ca.db.rand
certificate = \$dir/ca.crt
private_key = \$dir/ca.key
default_days = 365
default_crl_days = 30
default_md = md5
preserve = no
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
etc.
What do I really need to put into extfile or config?
randyboy.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
