Problems adding specific extensions to signed certificates

Michael Leone turgon at mike-leone.com
Thu Feb 6 19:36:03 UTC 2020


This is driving me crazy. I have a CA, running on Debian 9, running
openssl 1.1.0. (this CA is for our organization internal use only, of
course). I can successfully sign requests. However, what I can't seem
to do, is add x509 extensions to the signed certificate, as part of
the openssl.cnf.

Oh, I can add extensions by signing and using the -extfile option, and
specifying a file with the specific options I want to give the
certificate. But I don't want to have to use an addon file, I want to
add parameters to all signed certificates.

keyUsage=digitalSignature,keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectKeyIdentifier=hash

(since all requests come from our own servers, I know that I want to
be sure that the requesting cert gets these, regardless of what else
the request asks for)

But I'm having a heck of a time accomplishing this, probably due to my
own lack of understanding. I thought that, in the "[ req ]" section of
my openssl.cnf, if I have this:

####################################################################
# This is the default certificate request settings
#
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
#x509_extensions = v3_ca # The extensions to add to the self signed cert
req_extensions = v3_req
x509_extensions = usr_cert

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "PHA Internally generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
#keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
#extendedKeyUsage = clientAuth, emailProtection
#
# PHA Added
#
keyUsage=digitalSignature,keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectKeyIdentifier=hash

Then I would get the extensions that I want, since they are in the "[
usr_cert ]" section, which is what is called for the x509_extensions
when signing a request.

But that turns out not to be the case.

What part am I missing, or not understanding? I've got something basic
wrong here, I just can't figure out what.

Signing command:

sudo openssl x509 -req -days 3650 -in requests/<CSR> -CA
certs/<Internal-CA-cert> -CAkey private/<internal-CA-key> -CAserial
serial  -out certs/<signed-CSR>

Doing that, I get no extensions.
Adding " -extfile cert-extensions", and putting the above extensions
in that file, then I *do* get them.

I can post the whole openssl.cnf, if need be.

Thanks for any help.

-- 

Mike. Leone, <mailto:turgon at mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

This space reserved for future witticisms ...


More information about the openssl-users mailing list