> My claim is that much of the "applications" should be removed > from the core system, and should be re-implemented in a cleaner > way using the APIs. > I.e. into a separate git repo with it's own release schedule. > > They should serve as exemplars for using the APIs, which they are > often are not. > > In particular, the way that many things are only doable via > "configuration file" is a serious problem.
Agree, to create X509 SANs you need to understand the application, but that gets very confusing since half of it is getting command line and config file input, even harder when you don't understand C. You end up using obscure APIs like GENERAL_NAME_set0_value for which there is no documentation, because there seems nothing better to use to create the stack of extensions. But it was satisfying when it all worked and I had a CA component. OpenSSL is really aimed at two markets, developers using the API and admins using the applications, it would be easier for both groups if the help was separate. Angus