LearningTechAndDev
New Member
I tried to ask this question yesterday but still didn't get a reply yet, so will ask here as well.
Markdown (GitHub flavored):
I read through the answers from this question here:
https://stackoverflow.com/questions/21297139/how-do-you-sign-a-certificate-signing-request-with-your-certification-authority
But my comprehension on the matter is still weak. I am trying to understand the difference between making a CA certificate and key with the `-subj` vs making it with the `openssl-ca.cnf`. Here are the details on the two scenarios I'm contemplating:
# Scenario 1 - Using -subj
An organization called AuthorityOfAll ran these commands.
```
openssl genrsa -out root.key 2048
openssl req -x509 -sha256 -nodes -key root.key -subj "/C=CA/ST=ON/O=AuthorityOfAll/CN=CommonNameAuthorityOfAll" -days 3650 -out root.crt
```
AuthorityForAll receives `entity.csr` and `entity.cnf` from Alice. Alice wants AuthorityForAll to email her an `entity.crt`.
AuthorityForAll runs the command:
```
openssl x509 -req -in entity.csr -CA root.crt -CAkey root.key -CAcreateserial -out entity.crt -days 500 -sha256 -extensions v3_req -extfile entity.cnf
```
Certificate Authority emails `entity.crt` to Alice.
# Scenario 2 - Using `openssl-ca.cnf`
(I have not tested this scenario. I copied, pasted and edited fragments from https://stackoverflow.com/questions/21297139/how-do-you-sign-a-certificate-signing-request-with-your-certification-authority based on what might look relevant to acheiving similar goals to Scenario 1).
An organization called AuthorityOfAll ran these commands.
```
openssl req -x509 -config openssl-ca.cnf -days 365 -newkey rsa:4096 -sha256 -nodes -out root.crt -outform PEM
```
The `openssl-ca.cnf` has the following content:
```
HOME = .
RANDFILE = $ENV::HOME/.rnd
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
default_days = 3650 # How long to certify for
default_crl_days = 30 # How long before next CRL
default_md = sha256 # Use public key default MD
preserve = no # Keep passed DN ordering
x509_extensions = ca_extensions # The extensions to add to the cert
email_in_dn = no # Don't concat the email in the DN
copy_extensions = copy # Required to copy SANs from CSR to cert
####################################################################
[ req ]
default_bits = 4096
default_keyfile = root.key
distinguished_name = ca_distinguished_name
x509_extensions = ca_extensions
string_mask = utf8only
####################################################################
[ ca_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Maryland
localityName = Locality Name (eg, city)
localityName_default = Baltimore
organizationName = AuthorityOfAll
organizationName_default = AuthorityOfAll
organizationalUnitName = Pizza
organizationalUnitName_default = Pizza
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = Test CA
emailAddress = Email Address
emailAddress_default = [email protected]
####################################################################
[ ca_extensions ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints = critical, CA:true
keyUsage = keyCertSign, cRLSign
```
AuthorityForAll receives `entity.csr` and `entity.cnf` from Alice. Alice wants AuthorityForAll to email her an `entity.crt`.
AuthorityForAll runs the command:
```
openssl x509 -req -in entity.csr -CA root.crt -CAkey root.key -CAcreateserial -out entity.crt -days 500 -sha256 -extensions v3_req -extfile entity.cnf
```
Certificate Authority emails `entity.crt` to Alice.
-------
I'm trying to understand what are the limitations of between these two scenarios? Or why you would use one over the other?