Problems adding specific extensions to signed certificates

Sergio NNX sfhacker at hotmail.com
Fri Feb 7 16:02:26 UTC 2020 

This is the basics of OpenSSL!

You would like to add extensions to a CSR or the problem arises when signing it?

You create a CSR (without extension file) and then you can check/inspect whether or not it shows the extension(s) you need/want. After that, you can sign the CSR.



> Ok. I'm not really a Linux guy, but I guess that means to do a "man 5 x509v3_config"?
I believe this odd issue has nothing to do with Linux, Mac and/or Windows.

> OK, so I read "man 5 x509v3_config", and it's still not clear to me how I get my extensions added to a req.
Which part is not clear?


> Obviously I'm missing something basic. Can anyone point out what I am doing wrong?
Indeed you are!

We use Windows, the latest OpenSSL version and only one .cnf file. No issues at all.

First, you create a CSR file with the extensions you need/want.
    (openssl req -new -config user.cnf -key user.key -out user.csr)

Then, you sign the CSR
    (openssl ca -notext -config user.cnf -in user.csr -passin .....)

That's it.

You could email me your (complete) .cnf file with all the extensions you need and I can run the above commands locally to see whether or not there is something wrong/incomplete with your .cnf file.


>>> user.cnf

...
...
[ req_distinguished_name ]
    0.domainComponent = localhost
    countryName = GB
    stateOrProvinceName = London
    localityName = Westminster
    title = Mr
    description = End User Certificate
    commonName = testuser
    emailAddress = support at winradius.eu
    userId = testuser
    organizationalUnitName = IT Department
    serialNumber = 1234-2020-GB

...
...

[ user_cert ]
    basicConstraints = critical,CA:false,pathlen:0
    keyUsage = critical,keyEncipherment
    subjectKeyIdentifier = hash
    authorityKeyIdentifier = keyid:always,issuer:always
    nsCertType = client
    extendedKeyUsage = emailProtection
    crlDistributionPoints = @crl_dp
    authorityInfoAccess = caIssuers;URI:http://localhost/rootca.der
    certificatePolicies = ia5org, at policy
...
...

________________________________
From: openssl-users <openssl-users-bounces at openssl.org> on behalf of Michael Leone <turgon at mike-leone.com>
Sent: Saturday, 8 February 2020 2:01 AM
To: openssl-users at openssl.org <openssl-users at openssl.org>
Subject: Re: Problems adding specific extensions to signed certificates

On Thu, Feb 6, 2020 at 5:45 PM Viktor Dukhovni
<openssl-users at dukhovni.org> wrote:
>
> On Thu, Feb 06, 2020 at 02:36:03PM -0500, Michael Leone wrote:
>
> > Oh, I can add extensions by signing and using the -extfile option, and
> > specifying a file with the specific options I want to give the
> > certificate. But I don't want to have to use an addon file, I want to
> > add parameters to all signed certificates.
>
> The documentation of x509(1) which you're using with "-req" as a
> mini-CA, states explicitly:
>
>        -extfile filename
>            File containing certificate extensions to use. If not specified
>            then no extensions are added to the certificate.
>
>        -extensions section
>            The section to add certificate extensions from. If this option is
>            not specified then the extensions should either be contained in the
>            unnamed (default) section or the default section should contain a
>            variable called "extensions" which contains the section to use. See
>            the x509v3_config(5) manual page for details of the extension
>            section format.

OK, so I read "man 5 x509v3_config", and it's still not clear to me
how I get my extensions added to a req.
I am following thsi example page from RedHat

 https://access.redhat.com/solutions/28965

So what is the secret I am missing? The way I am reading it, in the "[
req ]", section I need to add

x509_extensions          = usr_cert             # Desired extensions section

and in "[ usr_cert ]", I have added the "KeyUsage" and
"ExtendedKeyUsage" values I want.

which I have done, and which is not giving me what I want.

Obviously I'm missing something basic. Can anyone point out what I am
doing wrong?

The example page shows signing using a separate extensions file, which
I can do, and have done, and that gives me those extensions. But why
doesn't it work without that extension file??
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20200207/ace7bb33/attachment-0001.html>

More information about the openssl-users mailing list