Left out response to -nodes option...

On 12/20/2012 03:44 AM, Dave Thompson wrote:
From: owner-openssl-us...@openssl.org On Behalf Of Robert Moskowitz
Sent: Wednesday, 19 December, 2012 22:24
... I am trying better to understand ...
creating a mailserver (postfix) cert.

I am looking at a couple templets.  The one at postfix.org creates a
'unsigned public key certificate':

openssl req -new -nodes -keyout foo-key.pem -out foo-req.pem -days 365

There is no such thing as an 'unsigned public key certificate'.
Wherever you saw that should be regarded with suspicion.
Certs are signed, that's part of what makes them certs.*
That command creates a cert signing request, aka cert request,
aka CSR, but -days n and -nodes are useless for that command,
so as a template this should be regarded with suspicion.

-nodes
if this option is specified then if a private key is created it
will not be encrypted.

Seems to me that -nodes is perfectly valid for a CSR. The requester MAY generate its own keypair. Some feel this should be a SHOULD, and I really don't recall what ended up in the RFCs. Nor am I inclined to dig into it.


* Related: if there or anywhere you see a claim that a CA "signs"
a CSR, or the user/entity/server/client/etc sends a CSR to a CA
"to be signed" or words to that effect, that is quite wrong
and indicates that the author either doesn't know what they're
talking about or does not want to explain it correctly.
A cert is signed, and usually a cert contains information >from<
a CSR and it is vital it does, but the signed data (TBS) in
the cert is NOT a copy of the CSR nor of the TBS in the CSR.
It is a different structure, which OpenSSL calls X509_CINF.
The name 'certificate signing request' may contribute to this
problem, because it calls attention to only one part of what the
CA does. Maybe it should have been named certificate >issuance<
request or certificate >creation< request or somesuch. It wasn't.

A tutorial I am working with creates a 'self-signed certificate':

openssl req -new -outform PEM -out smtpd.cert -newkey rsa:2048 -nodes
-keyout smtpd.key -keyform PEM -days 365 -x509

I have figured out that the two -xxxform PEM parameters are only
selecting the default value (and probably has always been the default
for openssl) so can be dropped.  The challenge is the -x509
parameter.
It does not seem to be the default for req, and yet the -days
nnn option
seems to be tied to it.   The man page says:

         -x509
             this option outputs a self signed certificate instead of a
             certificate request. This is typically used to
generate a test
             certificate or a self signed root CA. The
extensions added
to the
             certificate (if any) are specified in the
configuration file.
             Unless specified using the set_serial option 0
will be used
for the
             serial number.

         -days n
             when the -x509 option is being used this
specifies the number of
             days to certify the certificate for. The default
is 30 days.

So is -x509 the default?  If not, what is the default, and for the
default what does -days nnn do?

-x509 is not the default. As the manpage says, -x509 outputs
a self-signed cert >instead of< a CSR. The default if -x509
is not specified is to output a CSR. (If you use -new or -newkey
without -x509 it *creates* a CSR and outputs that new CSR, as
you have here. 'req' can also process an existing CSR.)

If -x509 is used and it outputs a cert, a cert has a validity
period, which can be set with -days n and defaults to 30 days.

If -x509 is not used and it outputs a CSR, a CSR does not have
a validity period, and -days n is useless. See above.

Because openssl utilities generally parse all arguments before
starting to process them, you often including here do NOT get
an error message for specifying unnecessary/unused options.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to