openssl x509 -x509toreq -extensions v3_req will not output version 3 even though input cert.pem is X509v3
Jelle de Jong
jelledejong at powercraft.nl
Wed Apr 26 10:11:55 UTC 2023
Hello everybody,
I am trying to generate a CSR with X509v3 from a working X509v3 cert but
the output generates a version 1 CSR without X509v3.
These are the steps to reproduce:
openssl req -utf8 -x509 -nodes -new -keyout key.pem -out cert.pem -days
3650 -subj '/CN=test.example.lan' -extensions v3_req -addext
'subjectAltName = DNS:test.example.lan'
openssl x509 -x509toreq -in cert.pem -signkey key.pem -out csr.pem
-extensions v3_req -ext
subjectAltName,keyUsage,basicConstraints,extendedKeyUsage,certificatePolicies
openssl req -in csr.pem -noout -verify
openssl req -in csr.pem -out csr.req
# show X509v3 Subject Alternative Name:
openssl x509 -in cert.pem -text -noout
# does not show X509v3 Subject Alternative Name:
openssl req -in csr.req -text -noout
Tried with the bollow two versions
$ openssl version
OpenSSL 1.1.1n 15 Mar 2022
# openssl version
OpenSSL 1.1.1k FIPS 25 Mar 2021
Can someone, do I need a diffrent openssl x509 -x509toreq -extensions ...
Thank you in advance,
Kind regards,
Jelle de Jong
More information about the openssl-users
mailing list