0

Have I understood correctly that when CSR is signed with openssl x509 tool, a CA database index file is not updating ? As opposite, when signing with openssl ca tool, then index file is updating.

Sjoerd
  • 28,707
  • 12
  • 74
  • 102
sharlino
  • 33
  • 1
  • 4

1 Answers1

2

This is correct. openssl x509 is only a tool to manipulate and create certificates, but it is not a standalone CA and does not keep any status. Whereas openssl ca is described in the documentation as:

The ca command is a minimal CA application. It can be used to sign certificate requests in a variety of forms and generate CRLs it also maintains a text database of issued certificates and their status.

This text database includes the index file you refer too.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Also, in the [CA Database documentation](http://pki-tutorial.readthedocs.io/en/latest/cadb.html), it states that "the `openssl ca` command uses this file as certificate database." – Sjoerd May 03 '17 at 06:49