On Wed, Dec 02, 2009, Jan Danielsson wrote: > Hello, > > I've been trying to wrap my head around certificate signing, and how > it differs when using "x509" and "ca". Please correct me if I'm wrong: >
Well they've been about since SSLeay so I can't comment on the precise motivation. I'd speculate that "x509" is automated whereas the "ca" utility has support for user intervention. You can do almost everything with "x509" that you can with "ca". The most notable difference is that you can only generate CRLs using the "ca" utility. The default behaviour of "ca" is also more sensible than "x509". It adds appropriate extensions to CA and end entity certificates. > According to that theory, the "ca" command does what "x509" does on > an x509 API level, but it also implements some extra support for reading > default parameters from openssl.cnf, which "x509" doesn't do. > > My questions: > 1) Is there any difference between "x509" and "ca" which makes "x509" > unsuitable for a self-signed CA to use for every day CSR signing operations? > 2) Is there a reason "x509" doesn't have -startdate or -enddate? In > my case, they are the only features I'm looking for which "ca" has. > Other than that, I specifically don't want to use the configuration > parameters in openssl.cnf (I use explicit command line options to "x509" > for setting serial number file, etc). > If nothing else you need to include an appropriate set of extensions in the CA end end entity certificates. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
