On Tue, Nov 16, 2004, Patrick Ben Koetter wrote:
>
> To clarify my second question: Can I put config options for a CA,
> server and or client certificate in a single config file and have certs
> built automatically?
>
> I haven't understood yet how sections work exactly. I understand they
> subsume vars that openssl or an openssl utility will look up. But where
> do the section names come from? Can I invent some myself and have
> openssl use them?
>
> Ideally I would have something like this:
>
> # openssl.conf
>
> [ ca ]
> countryName_value = EX
> stateOrProvinceName_value = Examplia
> localityName_value = Exampleton
>
> [ server ]
> countryName_value = GB
> stateOrProvinceName_value = Somewhere
> localityName_value = Sometown
>
> [ client ]
> countryName_value = DE
> stateOrProvinceName_value = bundesland
> localityName_value = stadt
>
>
> But from what I understand about sections at the moment I cannot do this
> and will have to go that way:
>
> # ca.conf
> ...
> [ req_distinguished_name ]
> countryName_value = EX
> stateOrProvinceName_value = Examplia
> localityName_value = Exampleton
> ...
>
> # server.conf
> ...
> [ req_distinguished_name ]
> countryName_value = GB
> stateOrProvinceName_value = Somewhere
> localityName_value = Sometown
> ...
>
> # client.conf
> ...
> [ req_distinguished_name ]
> countryName_value = DE
> stateOrProvinceName_value = bundesland
> localityName_value = stadt
> ...
>
>
> Correct? If there's a better way to handle this I'd appreciate a hint
> where to go looking for it.
>
Well with prompt=no you wouldn't have the _value stuff...
Well some sections are determined by the utility itself, others are specified
in previous sections and others are on the command line. The docs give more
details about each case.
To take your example the section name "req_distinguished_name" is looked up
under the name "distinguished_name" in the "req" section.
The section used ("req") is hard coded in the "req" utility itself.
So you could change the "distinguished_name" to point to another section.
However that would still need modifications to the config file.
You can avoid this by using the environment variable expansion and doing
something like:
distinguished_name=$ENV::dn_sect
will use the environment variable "dn_sect" instead. Then you can keep one
configuration file and select the appropriate section using the environment
variables.
Again see the docs for more details.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
