Folks,
Recently was helping Henry Story with his foaf+ssl* code (folks on
this list may well be interested; and ran into something I've been
totally relying on for years - but never knew that was happening:
'ca' (but not x509 or req) are clever enough to magically output as
DER when SPKAC is used and an output file is specified (but will
otherwise default to PEM; both on stdout and in the -outdir.
E.g. (from app.c):
if (spkac_file != NULL)
{
j=certify_spkac(&x,spkac_file,pkey,x509,dgst,attribs,db,
....
if (outfile)
{
output_der = 1;
batch = 1;
}
}
which means that
openssl ca -config /etc/CA/openssl.conf -days 180 -notext -batch -
spkac ~/tmp/eg.spkac > foo
and
openssl ca -config /etc/CA/openssl.conf -days 180 -notext -batch -
spkac ~/tmp/eg.spkac -out foo
do yield a PEM resp. DER format in 'foo'. ANd that is a bit confusing.
I suggest below for the docs - as it had me scratching my head for a
bit. And I am not that unfamiliar with openssl :)
Cheers,
Dw.
*: http://blogs.sun.com/bblfish/entry/foaf_ssl_creating_a_global
*** ca.pod.orig Sun Jan 4 21:17:06 2009
--- ca.pod Sun Jan 4 21:20:47 2009
***************
*** 83,89 ****
a file containing a single Netscape signed public key and challenge
and additional field values to be signed by the CA. See the B<SPKAC
FORMAT>
! section for information on the required format.
=item B<-infiles>
--- 83,89 ----
a file containing a single Netscape signed public key and challenge
and additional field values to be signed by the CA. See the B<SPKAC
FORMAT>
! section for information on the required format and returned format.
=item B<-infiles>
***************
*** 94,100 ****
the output file to output certificates to. The default is standard
output. The certificate details will also be printed out to this
! file.
=item B<-outdir directory>
--- 94,100 ----
the output file to output certificates to. The default is standard
output. The certificate details will also be printed out to this
! file. The format is normally PEM - except when handling
! SPKAC files; then a DER file is returned when a file
! is specified; otherwise PEM is emitted on stdout.
=item B<-outdir directory>
***************
*** 495,500 ****
--- 495,508 ----
If you need to include the same component twice then it can be
preceded by a number and a '.'.
+ Note that when handling SPKAC files the output format is set
+ to DER, not PEM when the output is written to a file specified
+ with -out. As to allow sending it straight to a browser with a
+ MIME-type of 'application/x-x509-user-cert'.
+
+ However the format is kept PEM when sent to stdout (i.e. without the
+ -out flag) or when written to a '-outdir'.
+
=head1 EXAMPLES
Note: these examples assume that the B<ca> directory structure is
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
