In message <[EMAIL PROTECTED]> on Tue, 22 Oct 2002 13:05:40 -0700, "Eric Weitzman" <[EMAIL PROTECTED]> said:
eweitzman> Richard, eweitzman> eweitzman> > "Eric Weitzman" <[EMAIL PROTECTED]> said: eweitzman> > eweitzman> > eweitzman> Is there any overview documentation on the relationship eweitzman> > eweitzman> between the keys and sections in openssl.cnf and both the eweitzman> eweitzman> > Isn't http://www.openssl.org/docs/apps/req.html enough? There's a eweitzman> > small blurb about distinguished_name ending by saying that the section eweitzman> > it refers to is explained in the next section of that manual. That eweitzman> > section is basically right below said blurb. eweitzman> eweitzman> This is enough to document req. But I was looking for eweitzman> overview documentation of the config file per se. http://www.openssl.org/docs/apps/config.html eweitzman> It's an even bigger leap to understand that one anticipated eweitzman> usage pattern for req requires that an app will write the eweitzman> config file to supply specific values for the distinguished eweitzman> name fields of the request. Not quite. There are two ways you can do this; 1) use the -subj option when you call req, or 2) change all the {foo}_default values to come from environment variables, and then set all those environment variables to sensible values and call req with -batch. An example: [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = ${ENV::COUNTRYNAME} countryName_min = 2 countryName_max = 2 eweitzman> It was while glimpsing this unique arrangement that I eweitzman> wondered, is there some overview documentation that spells eweitzman> out the relationships between eweitzman> commands->sections->keys->other_sections. It would be nice eweitzman> if this was done in general, or as a compendium of all the eweitzman> various commands' usage of the config file in the config eweitzman> file documentation. For example, are req and ca the only eweitzman> commands that have their own eponymously-named sections eweitzman> with keys whose values point to other sections? Or are eweitzman> there others? Are the OIDs in the section pointed to by the eweitzman> global key oid_section used by more than x509? (I'll eweitzman> answer this for myself shortly...see below) I think you need a general understanding of OpenSSL. The OpenSSL commands are really quite independent. Each of them have their own name as the main section of the configuration file to look in. The only ones that look in the configuration file are req, x509 and ca, so the main sections in the configuration file are [req], [x509] and [ca]. All other sections are somehow referenced from somewhere else, and those details are specific to each command. oid_section is used by req, x509 and ca. Perhaps that isn't entirely clear, although it is mentioned in each of those manual pages. eweitzman> I'm spiraling in to an understanding of the system as the eweitzman> blind men came to understand the elephant. Since I'm eweitzman> interested in the CA capabilities, a document that eweitzman> describes how ca, req, and x509 fit together and are eweitzman> configured would be helpful. In general, you can ignore x509 except for two purposes: 1) to create a root certificate if you need to, and 2) to look at certificates. It only uses the configuration when creating certificates. req is used to create certificate requests, ca is used to sign them. Basically, the users wanting certificates would use req, and the CA administrator would use ca... eweitzman> > Note: the manuals on the web are for the development eweitzman> eweitzman> Given this note, I understand that my documentation desires eweitzman> might go unheeded! Not necessarely, but we do have a certain structure, and it seems like some overall manual that would direct you better than http://www.openssl.org/docs/apps/openssl.html does is what you would have needd. Is that correct? -- Richard Levitte \ Spannv�gen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See <http://www.stacken.kth.se/~levitte/mail/> for more info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
