Making CA certificates with `-subj` vs. `openssl-ca.cnf`?
I read through the answers from this question here:
But my comprehension on the matter is still weak. I am trying to understand the difference between making a CA certificate and key with the -subj
vs making it with the openssl-ca.cnf
. Here are the details on the two scenarios I'm contemplating:
Scenario 1 - Using -subj
An organization called AuthorityOfAll ran these commands.
openssl genrsa -out root.key 2048
openssl req -x509 -sha256 -nodes -key root.key -subj "/C=CA/ST=ON/O=AuthorityOfAll/CN=CommonNameAuthorityOfAll" -days 3650 -out root.crt
AuthorityForAll receives entity.csr
and entity.cnf
from Alice. Alice wants AuthorityForAll to email her an entity.crt
.
AuthorityForAll runs the command:
openssl x509 -req -in entity.csr -CA root.crt -CAkey root.key -CAcreateserial -out entity.crt -days 500 -sha256 -extensions v3_req -extfile entity.cnf
Certificate Authority emails entity.crt
to Alice.
Scenario 2 - Using openssl-ca.cnf
(I have not tested this scenario. I copied, pasted and edited fragments from https://stackoverflow.com/questions/21297139/how-do-you-sign-a-certificate-signing-request-with-your-certification-authority based on what might look relevant to acheiving similar goals to Scenario 1).
An organization called AuthorityOfAll ran these commands.
openssl req -x509 -config openssl-ca.cnf -days 365 -newkey rsa:4096 -sha256 -nodes -out root.crt -outform PEM
The openssl-ca.cnf
has the following content:
HOME = .
RANDFILE = $ENV::HOME/.rnd
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
default_days = 3650 # How long to certify for
default_crl_days = 30 # How long before next CRL
default_md = sha256 # Use public key default MD
preserve = no # Keep passed DN ordering
x509_extensions = ca_extensions # The extensions to add to the cert
email_in_dn = no # Don't concat the email in the DN
copy_extensions = copy # Required to copy SANs from CSR to cert
####################################################################
[ req ]
default_bits = 4096
default_keyfile = root.key
distinguished_name = ca_distinguished_name
x509_extensions = ca_extensions
string_mask = utf8only
####################################################################
[ ca_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Maryland
localityName = Locality Name (eg, city)
localityName_default = Baltimore
organizationName = AuthorityOfAll
organizationName_default = AuthorityOfAll
organizationalUnitName = Pizza
organizationalUnitName_default = Pizza
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = Test CA
emailAddress = Email Address
emailAddress_default = test@example.com
####################################################################
[ ca_extensions ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints = critical, CA:true
keyUsage = keyCertSign, cRLSign
AuthorityForAll receives entity.csr
and entity.cnf
from Alice. Alice wants AuthorityForAll to email her an entity.crt
.
AuthorityForAll runs the command:
openssl x509 -req -in entity.csr -CA root.crt -CAkey root.key -CAcreateserial -out entity.crt -days 500 -sha256 -extensions v3_req -extfile entity.cnf
Certificate Authority emails entity.crt
to Alice.
I'm trying to understand what are the limitations of between these two scenarios? Or why you would use one over the other?