Re: Understanding -x509 option

Thu, 20 Dec 2012 17:01:53 -0800 


On 12/20/2012 06:52 PM, Dave Thompson wrote:

From: owner-openssl-us...@openssl.org On Behalf Of Robert Moskowitz
Sent: Thursday, 20 December, 2012 08:24
Left out response to -nodes option...

On 12/20/2012 03:44 AM, Dave Thompson wrote:

openssl req -new -nodes -keyout foo-key.pem -out

foo-req.pem -days 365

That command creates a cert signing request, aka cert request,
aka CSR, but -days n and -nodes are useless for that command,
so as a template this should be regarded with suspicion.

-nodes
if this option is specified then if a private key is created it
will not be encrypted.

Seems to me that -nodes is perfectly valid for a CSR. The
requester MAY
generate its own keypair. Some feel this should be a SHOULD, and I
really don't recall what ended up in the RFCs. Nor am I
inclined to dig
into it.


You're (mostly) right. There are two somewhat separate issues:

- who should generate the keypair, and the CSR (which requires
possession of the keypair). This has been much debated over
the years,


And I was part of those debates.


  and practice nowadays seems to be mostly that it
should be the user, but this is really a "policy" question
that standards can't fully answer and Internet RFCs traditionally
don't even try to.


That is right.  We punted to the lawyers.


- how the keypair and CSR are generated by whoever does it.
openssl has a few options; you can generate the keypair alone
and then a CSR (or self-signed cert) for it, or 'req' can
generate both the keypair and the CSR (or SSC). Generally
you use req -newkey for the latter case, but I forgot that
req -new without -newkey can do so, including that example.
Yes when generating the keypair -nodes is meaningful.

<snip rest>

Also from first response:


The req command primarily creates and processes certificate
requests in
PKCS#10 format. It can additionally create self signed
certificates for
use as root CAs for example.


Exactly. In relation to that the options should make more sense.
Plus the fact that features and options for all commandline have
evolved over years and often aren't as consistent and exact as
they would be (hopefully!) if all done -- or redone -- at once.


I think I got enough to work with it for now.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to