> From: owner-openssl-us...@openssl.org On Behalf Of Robert Moskowitz > Sent: Thursday, 20 December, 2012 08:24
> Left out response to -nodes option... > > On 12/20/2012 03:44 AM, Dave Thompson wrote: > >> openssl req -new -nodes -keyout foo-key.pem -out > foo-req.pem -days 365 > > That command creates a cert signing request, aka cert request, > > aka CSR, but -days n and -nodes are useless for that command, > > so as a template this should be regarded with suspicion. > > -nodes > if this option is specified then if a private key is created it > will not be encrypted. > > Seems to me that -nodes is perfectly valid for a CSR. The > requester MAY > generate its own keypair. Some feel this should be a SHOULD, and I > really don't recall what ended up in the RFCs. Nor am I > inclined to dig > into it. > You're (mostly) right. There are two somewhat separate issues: - who should generate the keypair, and the CSR (which requires possession of the keypair). This has been much debated over the years, and practice nowadays seems to be mostly that it should be the user, but this is really a "policy" question that standards can't fully answer and Internet RFCs traditionally don't even try to. - how the keypair and CSR are generated by whoever does it. openssl has a few options; you can generate the keypair alone and then a CSR (or self-signed cert) for it, or 'req' can generate both the keypair and the CSR (or SSC). Generally you use req -newkey for the latter case, but I forgot that req -new without -newkey can do so, including that example. Yes when generating the keypair -nodes is meaningful. <snip rest> Also from first response: > The req command primarily creates and processes certificate > requests in > PKCS#10 format. It can additionally create self signed > certificates for > use as root CAs for example. > Exactly. In relation to that the options should make more sense. Plus the fact that features and options for all commandline have evolved over years and often aren't as consistent and exact as they would be (hopefully!) if all done -- or redone -- at once. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
