Dr. Stephen Henson wrote: [---] > I'd speculate that "x509" is automated whereas the "ca" utility > has support for user intervention. You can do almost everything with "x509" > that you can with "ca". The most notable difference is that you can only > generate CRLs using the "ca" utility.
Yes, and - as I noted earlier - specifying specific notBefore/notAfter is also supported by "ca", but not "x509", as far as I can tell. > The default behaviour of "ca" is also more sensible than "x509". It adds > appropriate extensions to CA and end entity certificates. Yes, but that can be worked around with relevant command line parameters and openssl.cnf sections. [---] >> My questions: >> 1) Is there any difference between "x509" and "ca" which makes "x509" >> unsuitable for a self-signed CA to use for every day CSR signing operations? >> 2) Is there a reason "x509" doesn't have -startdate or -enddate? In >> my case, they are the only features I'm looking for which "ca" has. >> Other than that, I specifically don't want to use the configuration >> parameters in openssl.cnf (I use explicit command line options to "x509" >> for setting serial number file, etc). >> > > If nothing else you need to include an appropriate set of extensions in the CA > end end entity certificates. Yes, that's the parts I do want from the openssl.cnf, but I don't want the key/certificate locations, serial file, index file, and such. Those things are already handled by my script, in a way that suits my application better than coding them into openssl.cnf. The only thing missing now is being able to specify the start/end dates properly, and I'm done. I took a look at what "startdate" and "enddate" (in the sources), and - at a first glance - it looks pretty trivial to implement support for them in "x509". The problem is that "x509" already has -startdate and -enddate, but they are used for printing information from an existing certificate. So, I have some follow-up questions: 1) If I patch openssl to support setting specific start/end dates for certificates using "x509", what are the odds that it would get accepted into the distribution? (Provided it's a clean patch). 2) (Provided (1) is a "not impossible") Given that people probably are using -startdate/-enddate in various scripts around the world, it's not possible to change the meaning of the existing arguments. Would "-notbefore" and "-notafter" be suitable? I don't think I'm the only user to ever want to avoid "ca" because it adds a level of abstraction that I want to implement myself). (I think I tend to think of "x509" as the "lowlevel" version of "ca" - perhaps incorrectly - which is why I feel that "x509" should have at least the same level of precision with regards to notBefore/notAfter as "ca"). -- Kind regards, Jan Danielsson
signature.asc
Description: OpenPGP digital signature
