OpenSSL, basic configuration, new_certs_dir, certs

As shown in the documentation

https://www.openssl.org/docs/man1.1.0/apps/ca.html

new_certs_dir is used by the CA to output newly generated certs.

certs is not used here. However its referenced in the demoCA: "./demoCA/certs - certificate output file" Certs is ALSO not used for certificate chains as shown here:

https://www.openssl.org/docs/man1.1.0/apps/pkcs12.html or https://www.openssl.org/docs/man1.1.0/apps/verify.html

Note that /etc/ssl/certs is the default location for issued certs. But the certs variable is $dir/certs so it would be ./demoCA/certs I think we all agree its for issued certs specific to the CA. This makes sense because the CA might be signing certs that are chained to certs not yet issued by any public cert authority.

But where is the documentation for this? I believe its an artifact of the configuration file. It use to be used for options like certificate which would hold the ca.pem within certs so certificate=$certs/ca.pem.

I vaguely recall having this exact same question until I realized it was used later in the config file but now its not.

Edit: It gets weirder. The current version of ca.c here: https://github.com/openssl/openssl/blob/master/apps/ca.c does not reference certs. But much older versions such as this: https://github.com/openssl/openssl/blob/d02b48c63a58ea4367a0e905979f140b7d090f86/apps/ca.c Reference it but do nothing with it.

I don't have a good reference for this, but my guess and the way I personally use it is by storing newly signed certs in the new_certs dir, but keeping the CA cert (not the key) and higher level CA certs on the certs dir.

That is to differentiate them as they're not signed by your openssl CA, but by some external CA or something like that. In practice it would be just for organization, if it suits you.