Openssl req signs certificate with "Basic Constraints: CA: TRUE"

Matt Caswell matt at openssl.org
Thu Jan 27 12:25:08 UTC 2022 


On 27/01/2022 06:00, Glen Huang wrote:
> Hi,
> 
> I’m trying to create a signed certificate from a CA certificate without creating a CSR first. From the doc, I came up with this command:
> 
> ```
> openssl req -CA ca.crt -CAkey ca.key -key leaf.key -subj ‘/CN=leaf’ -out leaf.crt
> ```
> 
> However,
> 
> ```
> openssl x509 -in leaf.crt -text -noout
> ```
> 
> reports that it contains:
> 
> ```
> X509v3 Basic Constraints: critical
>      CA:TRUE
> ```
> 
> Which should be incorrect, since leaf.crt has an issuer and is not a CA.
> 
> I wonder if this is by design? Is there a way to omit the basic constraints extension in a leaf certificate?

A close reading of the openssl-req man page will reveal the hint that 
explains this:

https://www.openssl.org/docs/man3.0/man1/openssl-req.html

You have used the -CA option. The man page describes this option as follows:

Specifies the "CA" certificate to be used for signing a new certificate 
and implies use of -x509. When present, this behaves like a "micro CA" 
as follows: The subject name of the "CA" certificate is placed as issuer 
name in the new certificate, which is then signed using the "CA" key 
given as specified below.

The "implies use of -x509" is significant here. The description of the 
"-x509" option says that "X.509 extensions to be added can be specified 
in the configuration file". Later the description of the configuration 
file format on that man page says:

x509_extensions
This specifies the configuration file section containing a list of 
extensions to add to certificate generated when -x509 is in use. It can 
be overridden by the -extensions command line switch.


Next if we look at the default config file, we see this:

[ req ]
default_bits		= 2048
default_keyfile 	= privkey.pem
distinguished_name	= req_distinguished_name
attributes		= req_attributes
x509_extensions	= v3_ca	# The extensions to add to the self signed cert


The comment against "x509_extensions" is actually misleading. These are 
actually the extensions to add if the "-x509" option is in use (which is 
implied by -CA). Usually if you're just using "-x509" then you are 
creating a self-signed cert - but not if you are using "-CA".

So, assuming you are using the default config file settings, then the 
extensions to be added are "v3_ca". This has the effect of adding the 
"Basic Constraints, CA:TRUE" setting to the certificate. If you comment 
out that line from the config file then it won't get added.

Matt

More information about the openssl-users mailing list