x509 vs ca

Wed, 02 Dec 2009 09:42:07 -0800 

Hello,

   I've been trying to wrap my head around certificate signing, and how
it differs when using "x509" and "ca". Please correct me if I'm wrong:

   (This is wild speculation on my part) x509 is the "traditional" way
to sign CSR's. Somewhere along the line, someone thought it was too
complicated to use, and CA's generally didn't know which command to use
for signing server and client certificates, so someone wrote a mini-ca
application, which found its way into the openssl command.

   According to that theory, the "ca" command does what "x509" does on
an x509 API level, but it also implements some extra support for reading
default parameters from openssl.cnf, which "x509" doesn't do.

   I, like so many others, have written a script for managing my
self-signed CA duties for my specific setup. But I'm using "x509" for my
signing operations, and I recently realized that it has a rather odd
limitation: It doesn't support -startdate and -enddate as "ca" does;
only "days", which means one can not use "x509" to preemptively create
certificates for servers/users prior to their old certificate expiring
(since it's missing -startdate), and it's not possible to tell openssl
to generate a certificate which ends at exactly 23:59:59, short of
actually signing the csr at just that moment.

   I've done some googling, and others have come to the same conclusion.
So I get the feeling I'm missing something -- that "ca" isn't just
"x509" with a higher level of abstraction, specially suited for CA every
day duties.

   My questions:
   1) Is there any difference between "x509" and "ca" which makes "x509"
unsuitable for a self-signed CA to use for every day CSR signing operations?
   2) Is there a reason "x509" doesn't have -startdate or -enddate? In
my case, they are the only features I'm looking for which "ca" has.
Other than that, I specifically don't want to use the configuration
parameters in openssl.cnf (I use explicit command line options to "x509"
for setting serial number file, etc).

-- 
Kind regards,
Jan Danielsson

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to