> From: owner-openssl-us...@openssl.org On Behalf Of Mike.
> Sent: Friday, October 04, 2013 16:28
> I have just started to learn OpenSSL, and I am having troubles
> finding documentation that is helpful.
>
> www.openssl.org seems to have lots of reference documentation, but
> not too much in usage documentation, e.g., what are the typical
> contents expected in the SAN for a CA cert vs. those of a server
> cert.
>
FWIW the first three sections under www.openssl.org/docs/ are web-ized
copies of the man pages that exist on your own system if you download
build and install on Unix, or probably if you install someone else's
packaged build (rpm etc) (I don't know if it's possible to package man
separately or not at all, but it would be very silly). On Windows
builds the manpages aren't normally done because Windows doesn't
usually have the pod+man infrastructure, but the pod files are in
sourcetree/doc/{apps,ssl,crypto} and not too hard to read if needed.
OpenSSL code tries not to limit or control what name subfields and
extensions
are used, because they have changed over time and may well change again.
For public network usage SSL the main current standards are
RFC 5280 and www.cabforum.org (which focusses mostly on the CA
validating the subject/request, but that is reflected in the resulting
cert).
But people don't always follow standards. And they may be different in
nonpublic networks, even large ones. For example, I recently saw references
on the NIST (CSRC) website to special standards for US government PKI
(can't find now due to the shutdown).
IMVVHO the wiki would be a more appropriate place than man for information
expected to be obsoleted -- but as I am not even a wiki user much less
editor,
so take that opinion with a shakerful of salt.
SAN shouldn't be needed for a CA cert at all. The basic Subject, in DN
format,
is the name copied to the child certs (and CRLs), and thus the only useful
one.
<snip>
> Basically, for example, what I want to do is understand the "Setting
> Up A Certificate Authority" section of O'Reilly's book <snip>
> I want to understand what commands invoke what v3 extension
> sections, e.g., (example 3-5, page 65 in O'Reilly) when I invoke the
> openssl req command to generate a CA csr, how does that translate
> into the part of the config file that specifies what extensions will
> be included in the csr?
>
req_extensions in [req] by default identifies the section of the config
file used for extensions by req -new. You can override with -reqexts
on the command line. (man req!)
Note that if you use req -new -x509 to generate a *cert* that's different.
And there's no point in generating a CSR for a CA *root* cert, since that's
a one- party operation; just use req -new -x509. (For intermediate CA certs,
do go through CSR+issue.)
Note that some cert extensions should be the same for all certs/subjects
and thus it is sensible to configure them for the issuance operation not
each
CSR. In fact SAN is the only common extension really subject-specific.
> Ditto for openssl req for a server csr.
>
>
> All the pieces seem to be documented, but I am having difficulty
> figuring out how the pieces fit together.
>
How realistic do you need to be? As far as just testing SSL comms,
you probably don't need anything more than SAN and AKI, and fixed
values for BC, KU and probably EKU. If you want to test revocation, you
need the related extensions, but you also need to generate and distribute
CRLs, or run an OCSP responder, or both; that's a bigger deal. If you want
to test EV you need policy, but getting an EV policy is a huge deal.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
