> From: owner-openssl-us...@openssl.org On Behalf Of redpath > Sent: Sunday, 18 August, 2013 08:12
> I only deal with DSA processes so this is new to me and > I have created a CA and want to create an SSL cert for a > server (signed by the CA) > and I am trying to understand the -purpose output for the result. > Below is a simple test case of commands. > I don't know what you mean by "DSA processes". If you mean the Digital Signature Algorithm standardized by NIST, that is not involved at all in what you did. > > mkdir demoCA > mkdir demoCA/newcerts > mkdir demoCA/private > cd demoCA > touch index.txt > echo 1000 > serial > cd .. > > *//create CA* > openssl req -new -x509 -days 3650 -extensions v3_ca -keyout > ./demoCA/private/cakey.pem -out ./demoCA/cacert.pem -config > myconfig.cnf > -batch -passout pass:password > > *//Now create an SSL certificate* > openssl genrsa -out myrsa.pem 2048 > See below. > openssl req -new -out rsapub.csr -days 731 -keyout myrsa.key -batch > -extensions v3_OCSP -config myconfig.cnf -passout pass:password > Asides: -extensions on req -new are meaningful only if the config file used for ca has copy_extensions set, which is not the default but the default doesn't have v3_OCSP either. Even if you do use extensions in the req, unless v3_OCSP is a perversely confusing name it is probably not suitable for a webserver (Apache) cert as you say below you want. > openssl ca -out *rsapub.crt.pem* -in rsapub.csr -passin pass:password > -config myconfig.cnf -batch -cert ./demoCA/cacert.pem > > * > //Check purpose* > openssl x509 -text -in *rsapub.crt.pem* -notext -purpose > > Certificate purposes: > *SSL client : Yes* > SSL client CA : No > *SSL server : Yes* > SSL server CA : No > Netscape SSL server : Yes > Netscape SSL server CA : No > S/MIME signing : Yes > S/MIME signing CA : No > S/MIME encryption : Yes > S/MIME encryption CA : No > CRL signing : Yes > CRL signing CA : No > Any Purpose : Yes > Any Purpose CA : Yes > OCSP helper : Yes > OCSP helper CA : No > Time Stamp signing : No > Time Stamp signing CA : No > There is no -notext for x509. ITYM -noout. > > 1) So is this correct to be used by a Server for SSL cert giving > the rsapub.crt.pem and the myrsa.key to the Apache server for > configuration. Yes, this cert is considered suitable for an SSL server such as Apache httpd (or tomcat with APR). On condition that the clients of that server (e.g. browsers) are configured to trust your CA cert, which they won't be by default. Aside: myrsa.pem and rsapub.* are not very meaningful names, but good enough for an example. > I don't understand these fields SSL server CA:no and SSL > client CA:no > Those would be for certain kinds of CA certs. This isn't a CA cert, and you don't want a CA cert for an SSL server. > 2) Also what command can I use to see if it is signed by the CA. > openssl verify -CAfile $cacert rsapub.crt.pem where $cacert is ./demoCA/cacert.pem or a copy of it. For a child cert to be valid, it must be signed by the parent AND several other crosschecks must pass; 'verify' does all of these except limited revocation. If you really want to test only that the child cert is signed by the CA, but NOT the other requirements, it's more complicated; if so ask again. > 3) I am also surprised I cannot give the config file for this command > but must specify the bit default to use? Maybe I am > missing something. > I think using my config I am sure all options I want are > always used. > > openssl genrsa -out myrsa.pem 2048 > This wasn't actually used at all by the req -new. You can generate a key(pair) explicitly and then use it for req -new, but not the way you did it; your req -new generated a new RSA keypair using default_bits from the config file, as well as using Subject name information from the config file. If you want the explicit generation, which you apparently don't, then yes genrsa uses only command options not config file. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org