I am rather good on theory of x509 certs, but quite short on practice of
making them. The few times I did, I used templates, but this time
around I am trying better to understand what is being created. Oh, I am
creating a mailserver (postfix) cert.
I am looking at a couple templets. The one at postfix.org creates a
'unsigned public key certificate':
openssl req -new -nodes -keyout foo-key.pem -out foo-req.pem -days 365
A tutorial I am working with creates a 'self-signed certificate':
openssl req -new -outform PEM -out smtpd.cert -newkey rsa:2048 -nodes
-keyout smtpd.key -keyform PEM -days 365 -x509
I have figured out that the two -xxxform PEM parameters are only
selecting the default value (and probably has always been the default
for openssl) so can be dropped. The challenge is the -x509 parameter.
It does not seem to be the default for req, and yet the -days nnn option
seems to be tied to it. The man page says:
-x509
this option outputs a self signed certificate instead of a
certificate request. This is typically used to generate a test
certificate or a self signed root CA. The extensions added
to the
certificate (if any) are specified in the configuration file.
Unless specified using the set_serial option 0 will be used
for the
serial number.
-days n
when the -x509 option is being used this specifies the number of
days to certify the certificate for. The default is 30 days.
So is -x509 the default? If not, what is the default, and for the
default what does -days nnn do?
Thank you for your assistance.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org