Making CA certificates with `-subj` vs. `openssl-ca.cnf`?

LearningTechAndDev

New Member
Joined
Sep 25, 2023
Messages
9
Reaction score
0
Credits
174
I tried to ask this question yesterday but still didn't get a reply yet, so will ask here as well.

Markdown (GitHub flavored):
I read through the answers from this question here:

https://stackoverflow.com/questions/21297139/how-do-you-sign-a-certificate-signing-request-with-your-certification-authority

But my comprehension on the matter is still weak.  I am trying to understand the difference between making a CA certificate and key with the `-subj` vs making it with the `openssl-ca.cnf`.  Here are the details on the two scenarios I'm contemplating:

# Scenario 1 - Using -subj

An organization called AuthorityOfAll ran these commands.

```
openssl genrsa -out root.key 2048
openssl req -x509 -sha256 -nodes -key root.key -subj "/C=CA/ST=ON/O=AuthorityOfAll/CN=CommonNameAuthorityOfAll" -days 3650 -out root.crt
```

AuthorityForAll receives `entity.csr` and `entity.cnf` from Alice.  Alice wants AuthorityForAll to email her an `entity.crt`.

AuthorityForAll runs the command:

```
openssl x509 -req -in entity.csr -CA root.crt -CAkey root.key -CAcreateserial -out entity.crt -days 500 -sha256 -extensions v3_req -extfile entity.cnf
```

Certificate Authority emails `entity.crt` to Alice.


# Scenario 2 - Using `openssl-ca.cnf`

(I have not tested this scenario. I copied, pasted and edited fragments from https://stackoverflow.com/questions/21297139/how-do-you-sign-a-certificate-signing-request-with-your-certification-authority based on what might look relevant to acheiving similar goals to Scenario 1).

An organization called AuthorityOfAll ran these commands.

```
openssl req -x509 -config openssl-ca.cnf -days 365 -newkey rsa:4096 -sha256 -nodes -out root.crt -outform PEM
```
The `openssl-ca.cnf` has the following content:

```
HOME            = .
RANDFILE        = $ENV::HOME/.rnd

####################################################################
[ ca ]
default_ca    = CA_default      # The default ca section

[ CA_default ]

default_days     = 3650          # How long to certify for
default_crl_days = 30           # How long before next CRL
default_md       = sha256       # Use public key default MD
preserve         = no           # Keep passed DN ordering

x509_extensions = ca_extensions # The extensions to add to the cert

email_in_dn     = no            # Don't concat the email in the DN
copy_extensions = copy          # Required to copy SANs from CSR to cert

####################################################################
[ req ]
default_bits       = 4096
default_keyfile    = root.key
distinguished_name = ca_distinguished_name
x509_extensions    = ca_extensions
string_mask        = utf8only

####################################################################
[ ca_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default = US

stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = Maryland

localityName                = Locality Name (eg, city)
localityName_default        = Baltimore

organizationName            = AuthorityOfAll
organizationName_default    = AuthorityOfAll

organizationalUnitName         = Pizza
organizationalUnitName_default = Pizza

commonName         = Common Name (e.g. server FQDN or YOUR name)
commonName_default = Test CA

emailAddress         = Email Address
emailAddress_default = [email protected]

####################################################################
[ ca_extensions ]

subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints       = critical, CA:true
keyUsage               = keyCertSign, cRLSign
```

AuthorityForAll receives `entity.csr` and `entity.cnf` from Alice.  Alice wants AuthorityForAll to email her an `entity.crt`.

AuthorityForAll runs the command:

```
openssl x509 -req -in entity.csr -CA root.crt -CAkey root.key -CAcreateserial -out entity.crt -days 500 -sha256 -extensions v3_req -extfile entity.cnf
```

Certificate Authority emails `entity.crt` to Alice.


-------

I'm trying to understand what are the limitations of between these two scenarios?  Or why you would use one over the other?
 

Members online


Top