From: owner-openssl-us...@openssl.org On Behalf Of redpath
Sent: Sunday, 18 August, 2013 08:12
I only deal with DSA processes so this is new to me and
I have created a CA and want to create an SSL cert for a
server (signed by the CA)
and I am trying to understand the -purpose output for the result.
Below is a simple test case of commands.
I don't know what you mean by DSA processes. If you mean
the Digital Signature Algorithm standardized by NIST,
that is not involved at all in what you did.
mkdir demoCA
mkdir demoCA/newcerts
mkdir demoCA/private
cd demoCA
touch index.txt
echo 1000 serial
cd ..
*//create CA*
openssl req -new -x509 -days 3650 -extensions v3_ca -keyout
./demoCA/private/cakey.pem -out ./demoCA/cacert.pem -config
myconfig.cnf
-batch -passout pass:password
*//Now create an SSL certificate*
openssl genrsa -out myrsa.pem 2048
See below.
openssl req -new -out rsapub.csr -days 731 -keyout myrsa.key -batch
-extensions v3_OCSP -config myconfig.cnf -passout pass:password
Asides: -extensions on req -new are meaningful only if the
config file used for ca has copy_extensions set, which is not
the default but the default doesn't have v3_OCSP either. Even
if you do use extensions in the req, unless v3_OCSP is a
perversely confusing name it is probably not suitable for
a webserver (Apache) cert as you say below you want.
openssl ca -out *rsapub.crt.pem* -in rsapub.csr -passin pass:password
-config myconfig.cnf -batch -cert ./demoCA/cacert.pem
*
//Check purpose*
openssl x509 -text -in *rsapub.crt.pem* -notext -purpose
Certificate purposes:
*SSL client : Yes*
SSL client CA : No
*SSL server : Yes*
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : Yes
S/MIME signing CA : No
S/MIME encryption : Yes
S/MIME encryption CA : No
CRL signing : Yes
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No
There is no -notext for x509. ITYM -noout.
1) So is this correct to be used by a Server for SSL cert giving
the rsapub.crt.pem and the myrsa.key to the Apache server for
configuration.
Yes, this cert is considered suitable for an SSL server such as
Apache httpd (or tomcat with APR). On condition that the clients
of that server (e.g. browsers) are configured to trust your CA cert,
which they won't be by default.
Aside: myrsa.pem and rsapub.* are not very meaningful names,
but good enough for an example.
I don't understand these fields SSL server CA:no and SSL
client CA:no
Those would be for certain kinds of CA certs. This isn't a CA
cert, and you don't want a CA cert for an SSL server.
2) Also what command can I use to see if it is signed by the CA.
openssl verify -CAfile $cacert rsapub.crt.pem
where $cacert is ./demoCA/cacert.pem or a copy of it.
For a child cert to be valid, it must be signed by
the parent AND several other crosschecks must pass;
'verify' does all of these except limited revocation.
If you really want to test only that the child cert
is signed by the CA, but NOT the other requirements,
it's more complicated; if so ask again.
3) I am also surprised I cannot give the config file for this command
but must specify the bit default to use? Maybe I am
missing something.
I think using my config I am sure all options I want are
always used.
openssl genrsa -out myrsa.pem 2048
This wasn't actually used at all by the req -new. You can
generate a key(pair) explicitly and then use it for req -new,
but not the way you did it; your req -new generated a new
RSA keypair using default_bits from the config file, as well
as using Subject name information from the config file. If
you want the explicit generation, which you apparently don't,
then yes genrsa uses only command options not config file.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org