0

Note that 00 in 00.pem is the serial number of the certificate.

When I run this command, it also creates a file called 00.pem in the new certs directory.

The 00.pem has the same content as enduser-example.com.crt.

Here is the command:

openssl ca -batch -config enduser-certs/enduser-certs.conf -notext -in enduser-certs/enduser-example.com.csr -out enduser-certs/enduser-example.com.crt

The configuration file enduser-certs.conf is:

[ ca ] default_ca = myca [ crl_ext ] issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always [ myca ] dir = /path/to/SSLCA/intermediates new_certs_dir = /path/to/SSLCA/enduser-certs unique_subject = no certificate = $dir/Example Intermediate Certificate Authority.crt database = $dir/certindex private_key = $dir/Example Intermediate Certificate Authority.key serial = $dir/certserial default_days = 365 default_md = sha512 policy = myca_policy x509_extensions = myca_extensions crlnumber = $dir/crlnumber default_crl_days = 25 [ myca_policy ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ myca_extensions ] basicConstraints = critical,CA:FALSE keyUsage = digitalSignature,keyEncipherment extendedKeyUsage = serverAuth subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer crlDistributionPoints = @crl_section authorityInfoAccess = @ocsp_section subjectAltName = @alt_names [alt_names] DNS.0 = *.example.com DNS.1 = example.com [crl_section] URI.0 = http://pki.example.com/Example Intermediate Certificate Authority.crl [ocsp_section] OCSP;URI.0 = http://pki.example.com/ocsp/ caIssuers;URI.0 = http://pki.example.com/Example Intermediate Certificate Authority.crt

Is this normal?

Improve this question
1
  • I’m voting to close this question because it's not a security question. The behaviour is expected, and reading the documentation would have showed you this before you started.
    – Rory Alsop
    CommentedFeb 9, 2021 at 18:14

1 Answer 1

Reset to default
3

From the documentation of ca:

-outdir directory
The directory to output certificates to. The certificate will be written to a filename consisting of the serial number in hex with .pem appended.
...
new_certs_dir
The same as the -outdir command line option. It specifies the directory where new certificates will be placed. Mandatory.

So yes, this is the documented and expected behavior.

Improve this answer
4
  • Any difference between new_certs_dir and -outdir at all? Is it used in the command line too?
    – Example person
    CommentedFeb 6, 2021 at 18:32
  • @Chi.C.J.RajeevaLochana: I really recommend that you read the documentation. It shows the context where these options are used, i.e. command line vs. config. Apart from that the meaning of "the same" in the documentation is not ambiguous to me.
    – Steffen Ullrich
    CommentedFeb 6, 2021 at 21:09
  • Is there any difference between 'The directory to output certificates to' and 'It specifies the directory where new certificates will be placed.' in this context? Because the new_certs_dir says new certificates, but outdir says just certificates. Does outdir place more certificates than new_certs_dir?Just tell me yes or no.
    – Example person
    CommentedFeb 7, 2021 at 5:45
  • 1
    @Chi.C.J.RajeevaLochana: What part of "The same as the -outdir command line option" is ambiguous? While there are slightly different descriptions they essentially mean the same and the wording "the same" says that very clear. It can also seen from the code that new_certs_dir is used if -outdir is not given, so these really mean the same.
    – Steffen Ullrich
    CommentedFeb 7, 2021 at 6:57

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.