SSL certificate and CA signed and -purpose

Sun, 18 Aug 2013 05:14:47 -0700 

I only deal with  DSA processes so this is new to me and
I have created a CA and want to create an SSL cert for a server (signed by
the CA)
and I am trying to understand the -purpose output for the result.
Below is a simple test case of commands.


mkdir demoCA
mkdir demoCA/newcerts
mkdir demoCA/private
cd demoCA
touch index.txt
echo 1000 > serial
cd ..

*//create CA*
openssl req -new -x509 -days 3650 -extensions v3_ca  -keyout
./demoCA/private/cakey.pem -out ./demoCA/cacert.pem -config myconfig.cnf
-batch  -passout pass:password

*//Now create an SSL certificate*
openssl genrsa -out myrsa.pem  2048

openssl req -new -out  rsapub.csr -days 731 -keyout myrsa.key -batch
-extensions v3_OCSP -config myconfig.cnf -passout pass:password 

openssl ca -out *rsapub.crt.pem* -in rsapub.csr -passin pass:password
-config myconfig.cnf -batch -cert ./demoCA/cacert.pem 

*
//Check purpose*
openssl x509 -text -in *rsapub.crt.pem* -notext -purpose

Certificate purposes:
*SSL client : Yes*
SSL client CA : No
*SSL server : Yes*
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : Yes
S/MIME signing CA : No
S/MIME encryption : Yes
S/MIME encryption CA : No
CRL signing : Yes
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No


1) So is this correct to be used by a Server for SSL cert giving the 
rsapub.crt.pem and the myrsa.key to the Apache server for configuration.
   I don't understand these fields SSL server CA:no  and SSL client CA:no

2) Also what command can I use to see if it is signed by the CA.

3) I am also surprised I cannot give the config file for this command
    but must specify the bit default to use? Maybe I am missing something.
    I think using my config I am sure all options I want are always used.

       openssl genrsa -out myrsa.pem  2048






--
View this message in context: 
http://openssl.6102.n7.nabble.com/SSL-certificate-and-CA-signed-and-purpose-tp46222.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to