Very sorry for the late reply to your question!
The short answer is that the outcome of both scripts is pretty much the same, but if you have OpenSSL installed, prefer gen_node_cert_openssl.sh over gen_node_cert.sh.
Long answer: For SG2 and SG5 the preferred/default certificate format was JKS. The gen_node_cert.sh script uses mainly the JDK keytool to generate the certificates in JKS format. However, since JKS is a proprietary format, since SG6 the preferred/default certificate format is PEM/X509. The gen_node_cert_openssl.sh does not use JDK keytool, but OpenSSL only. So the difference is subtle, and the outcome similar. gen_node_cert_openssl.sh just does not use JDK proprietary tools.
On Friday, August 10, 2018 at 3:46:51 AM UTC-5, Victor L wrote:
First, thanks for the great work.
I used offline tls tools (available here) and I noticed gen_node_cert.sh and gen_node_cert_openssl.sh scripts
I understand that the first one generates node certificates in PEM, PKCS12, and JKS format.
The second generates only PEM format, the key is generated with a temporary openssl conf file and then the cert is generated using signing-ca.conf file
My question is simple:
I am not familiar with advanced openssl configurations but what’s the point of the “gen_node_cert_openssl.sh” ? When should I use it ?