Folks, Recently was helping Henry Story with his foaf+ssl* code (folks on this list may well be interested; and ran into something I've been totally relying on for years - but never knew that was happening: 'ca' (but not x509 or req) are clever enough to magically output as DER when SPKAC is used and an output file is specified (but will otherwise default to PEM; both on stdout and in the -outdir.
E.g. (from app.c): if (spkac_file != NULL) { j=certify_spkac(&x,spkac_file,pkey,x509,dgst,attribs,db, .... if (outfile) { output_der = 1; batch = 1; } } which means that openssl ca -config /etc/CA/openssl.conf -days 180 -notext -batch - spkac ~/tmp/eg.spkac > foo and openssl ca -config /etc/CA/openssl.conf -days 180 -notext -batch - spkac ~/tmp/eg.spkac -out foo do yield a PEM resp. DER format in 'foo'. ANd that is a bit confusing. I suggest below for the docs - as it had me scratching my head for a bit. And I am not that unfamiliar with openssl :) Cheers, Dw. *: http://blogs.sun.com/bblfish/entry/foaf_ssl_creating_a_global *** ca.pod.orig Sun Jan 4 21:17:06 2009 --- ca.pod Sun Jan 4 21:20:47 2009 *************** *** 83,89 **** a file containing a single Netscape signed public key and challenge and additional field values to be signed by the CA. See the B<SPKAC FORMAT> ! section for information on the required format. =item B<-infiles> --- 83,89 ---- a file containing a single Netscape signed public key and challenge and additional field values to be signed by the CA. See the B<SPKAC FORMAT> ! section for information on the required format and returned format. =item B<-infiles> *************** *** 94,100 **** the output file to output certificates to. The default is standard output. The certificate details will also be printed out to this ! file. =item B<-outdir directory> --- 94,100 ---- the output file to output certificates to. The default is standard output. The certificate details will also be printed out to this ! file. The format is normally PEM - except when handling ! SPKAC files; then a DER file is returned when a file ! is specified; otherwise PEM is emitted on stdout. =item B<-outdir directory> *************** *** 495,500 **** --- 495,508 ---- If you need to include the same component twice then it can be preceded by a number and a '.'. + Note that when handling SPKAC files the output format is set + to DER, not PEM when the output is written to a file specified + with -out. As to allow sending it straight to a browser with a + MIME-type of 'application/x-x509-user-cert'. + + However the format is kept PEM when sent to stdout (i.e. without the + -out flag) or when written to a '-outdir'. + =head1 EXAMPLES Note: these examples assume that the B<ca> directory structure is http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this.
Folks, Recently was helping Henry Story with his foaf+ssl* code (folks on this list may well be interested; and ran into something I've been totally relying on for years - but never knew that was happening: 'ca' (but not x509 or req) are clever enough to magically output as DER when SPKAC is used and an output file is specified (but will otherwise default to PEM; both on stdout and in the -outdir. E.g. (from app.c): if (spkac_file != NULL) { j=certify_spkac(&x,spkac_file,pkey,x509,dgst,attribs,db, .... if (outfile) { output_der = 1; batch = 1; } } which means that openssl ca -config /etc/CA/openssl.conf -days 180 -notext -batch -spkac ~/tmp/eg.spkac > foo and openssl ca -config /etc/CA/openssl.conf -days 180 -notext -batch -spkac ~/tmp/eg.spkac -out foo do yield a PEM resp. DER format in 'foo'. ANd that is a bit confusing. I suggest below for the docs - as it had me scratching my head for a bit. And I am not that unfamiliar with openssl :) Cheers, Dw. *: http://blogs.sun.com/bblfish/entry/foaf_ssl_creating_a_global *** ca.pod.orig Sun Jan 4 21:17:06 2009 --- ca.pod Sun Jan 4 21:20:47 2009 *************** *** 83,89 **** a file containing a single Netscape signed public key and challenge and additional field values to be signed by the CA. See the B<SPKAC FORMAT> ! section for information on the required format. =item B<-infiles> --- 83,89 ---- a file containing a single Netscape signed public key and challenge and additional field values to be signed by the CA. See the B<SPKAC FORMAT> ! section for information on the required format and returned format. =item B<-infiles> *************** *** 94,100 **** the output file to output certificates to. The default is standard output. The certificate details will also be printed out to this ! file. =item B<-outdir directory> --- 94,100 ---- the output file to output certificates to. The default is standard output. The certificate details will also be printed out to this ! file. The format is normally PEM - except when handling ! SPKAC files; then a DER file is returned when a file ! is specified; otherwise PEM is emitted on stdout. =item B<-outdir directory> *************** *** 495,500 **** --- 495,508 ---- If you need to include the same component twice then it can be preceded by a number and a '.'. + Note that when handling SPKAC files the output format is set + to DER, not PEM when the output is written to a file specified + with -out. As to allow sending it straight to a browser with a + MIME-type of 'application/x-x509-user-cert'. + + However the format is kept PEM when sent to stdout (i.e. without the + -out flag) or when written to a '-outdir'. + =head1 EXAMPLES Note: these examples assume that the B<ca> directory structure is http://www.bbc.co.uk This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. |