0

Note that 00 in 00.pem is the serial number of the certificate.

When I run this command, it also creates a file called 00.pem in the new certs directory.

The 00.pem has the same content as enduser-example.com.crt.

Here is the command:

openssl ca -batch -config enduser-certs/enduser-certs.conf -notext -in enduser-certs/enduser-example.com.csr -out enduser-certs/enduser-example.com.crt

The configuration file enduser-certs.conf is:

[ ca ]
default_ca = myca

[ crl_ext ]
issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always

 [ myca ]
 dir = /path/to/SSLCA/intermediates
 new_certs_dir = /path/to/SSLCA/enduser-certs
 unique_subject = no
 certificate = $dir/Example Intermediate Certificate Authority.crt
 database = $dir/certindex
 private_key = $dir/Example Intermediate Certificate Authority.key
 serial = $dir/certserial
 default_days = 365
 default_md = sha512
 policy = myca_policy
 x509_extensions = myca_extensions
 crlnumber = $dir/crlnumber
 default_crl_days = 25

 [ myca_policy ]
 countryName             = optional
 stateOrProvinceName     = optional
 localityName            = optional
 organizationName        = optional
 organizationalUnitName  = optional
 commonName              = supplied
 emailAddress            = optional

 [ myca_extensions ]
 basicConstraints = critical,CA:FALSE
 keyUsage = digitalSignature,keyEncipherment
 extendedKeyUsage = serverAuth
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer
 crlDistributionPoints = @crl_section
 authorityInfoAccess = @ocsp_section
 subjectAltName  = @alt_names

 [alt_names]
 DNS.0 = *.example.com
 DNS.1 = example.com

 [crl_section]
 URI.0 = http://pki.example.com/Example Intermediate Certificate Authority.crl

 [ocsp_section]
 OCSP;URI.0 = http://pki.example.com/ocsp/
 caIssuers;URI.0 = http://pki.example.com/Example Intermediate Certificate Authority.crt

Is this normal?

Example person
  • 163
  • 9
  • I’m voting to close this question because it's not a security question. The behaviour is expected, and reading the documentation would have showed you this before you started. – Rory Alsop Feb 09 '21 at 18:14

1 Answers1

3

From the documentation of ca:

-outdir directory
The directory to output certificates to. The certificate will be written to a filename consisting of the serial number in hex with .pem appended.
...
new_certs_dir
The same as the -outdir command line option. It specifies the directory where new certificates will be placed. Mandatory.

So yes, this is the documented and expected behavior.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Any difference between `new_certs_dir` and `-outdir` at all? Is it used in the command line too? – Example person Feb 06 '21 at 18:32
  • @Chi.C.J.RajeevaLochana: I really recommend that you read the documentation. It shows the context where these options are used, i.e. command line vs. config. Apart from that the meaning of "the same" in the documentation is not ambiguous to me. – Steffen Ullrich Feb 06 '21 at 21:09
  • Is there any difference between 'The directory to output certificates to' and 'It specifies the directory where new certificates will be placed.' in this context? Because the new_certs_dir says `new certificates`, but outdir says just `certificates`. Does outdir place more certificates than new_certs_dir?Just tell me yes or no. – Example person Feb 07 '21 at 05:45
  • 1
    @Chi.C.J.RajeevaLochana: What part of *"__The same__ as the -outdir command line option"* is ambiguous? While there are slightly different descriptions they essentially mean the same and the wording "the same" says that very clear. It can also seen from [the code](https://github.com/openssl/openssl/blob/master/apps/ca.c#L656) that `new_certs_dir` is used if `-outdir` is not given, so these really mean the same. – Steffen Ullrich Feb 07 '21 at 06:57