openssl x509 -x509toreq -extensions v3_req will not output version 3 even though input cert.pem is X509v3

Jelle de Jong jelledejong at powercraft.nl
Wed Apr 26 16:45:35 UTC 2023


On 4/26/23 12:24, Dirk-Willem van Gulik wrote:
> On 26 Apr 2023, at 12:11, Jelle de Jong <jelledejong at powercraft.nl> wrote:
>> I am trying to generate a CSR with X509v3 from a working X509v3 cert but the output generates a version 1 CSR without X509v3.
>>
>> These are the steps to reproduce:
>>
>> openssl req -utf8 -x509 -nodes -new -keyout key.pem -out cert.pem -days 3650 -subj '/CN=test.example.lan' -extensions v3_req -addext 'subjectAltName = DNS:test.example.lan'
>>
>> openssl x509 -x509toreq -in cert.pem -signkey key.pem -out csr.pem -extensions v3_req -ext subjectAltName,keyUsage,basicConstraints,extendedKeyUsage,certificatePolicies
>>
>> openssl req -in csr.pem -noout -verify
>>
>> openssl req -in csr.pem -out csr.req
>>
>> # show X509v3 Subject Alternative Name:
>> openssl x509 -in cert.pem -text -noout
>>
>> # does not show X509v3 Subject Alternative Name:
>> openssl req -in csr.req -text -noout
>>
>> Tried with the bollow two versions
>>
>> $ openssl version
>> OpenSSL 1.1.1n  15 Mar 2022
>>
>> # openssl version
>> OpenSSL 1.1.1k  FIPS 25 Mar 2021
>>
>> Can someone, do I need a diffrent openssl x509 -x509toreq -extensions …
> 
> 
> I’d expect your default openssl.cnf or something to be empty or incomplete.
> 
> This should work:
> 
> 	cat <<EOM > ext.cnf
> 	authorityKeyIdentifier=keyid,issuer
> 	basicConstraints=CA:FALSE
> 	keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
> 	EOM
> 
> 	openssl x509 -x509toreq -in cert.pem -signkey key.pem -out csr.pem -extfile ./ext.cnf
> 	openssl req -in csr.req -text -noout
> 
> Dw.
> 
> 
> % cat ext.cnf
> authorityKeyIdentifier=keyid,issuer
> basicConstraints=CA:FALSE
> keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
> 
> % openssl x509 -x509toreq -in cert.pem -signkey key.pem -extfile ./ext.cnf | openssl req -text -noout
> Certificate Request:
>      Data:
>          Version: 1 (0x0)
>          Subject: CN = test.example.lan
>          Subject Public Key Info:
>              Public Key Algorithm: rsaEncryption
>                  Public-Key: (2048 bit)
>                  Modulus:
>                      00:f1:dc:10:07:5c:d0:2e:27:34:93:29:ff:fb:3f:
>                      b0:6e:81:b8:84:5e:1c:a4:56:b5:15:b7:ff:f1:fa:
>                      8e:ea:25:f0:03:7c:3a:4c:db:2e:69:7b:09:ae:78:
>                      3a:c2:de:50:62:df:61:ed:15:53:53:f2:b5:20:f0:
>                      92:71:c0:43:49:f6:72:32:31:ac:63:58:ec:ed:d3:
>                      73:42:81:03:fb:06:1e:18:f5:56:75:9d:fe:e7:5f:
>                      b0:ac:bb:26:1e:8b:a2:c6:12:4c:98:55:af:4f:35:
>                      01:00:b0:2c:05:42:3a:34:ec:28:4f:c7:96:ff:41:
>                      b4:5b:6a:78:a8:38:51:73:9b:f8:e8:98:27:93:d5:
>                      ac:4b:0c:88:53:d2:3d:67:f5:2e:d9:73:55:1d:b4:
>                      4d:f7:2b:13:b2:a0:58:69:f0:22:20:d5:09:ee:5c:
>                      a3:d8:bc:f1:d9:3e:1e:82:2a:b0:c9:44:02:e1:a7:
>                      eb:0f:8a:4a:de:9d:e5:34:51:7d:aa:5b:e5:a8:40:
>                      c8:eb:4f:7b:56:38:bc:91:3a:bd:71:82:f5:b7:f7:
>                      81:69:aa:5d:65:88:ca:e3:99:16:32:55:10:fd:4d:
>                      f9:16:7e:72:63:98:ea:31:26:76:2a:87:7e:6d:e4:
>                      35:ef:ce:79:c7:5c:c1:96:25:31:6f:1b:fc:f8:71:
>                      97:59
>                  Exponent: 65537 (0x10001)
>          Attributes:
>              Requested Extensions:
>                  X509v3 Authority Key Identifier:                      DirName:/CN=test.example.lan
>                      serial:39:87:74:CF:10:D6:65:50:B4:AF:45:3A:1D:87:98:7A:D3:B5:16:EF
>                  X509v3 Basic Constraints:                      CA:FALSE
>                  X509v3 Key Usage:                      Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
>      Signature Algorithm: sha256WithRSAEncryption
>      Signature Value:
>          ac:8a:5a:14:61:2f:59:21:b3:60:02:80:a5:c5:62:19:33:22:
>          0f:98:da:0b:36:9f:00:86:94:67:30:16:b8:ca:ea:e9:35:f7:
>          67:e3:c4:4a:40:d9:55:f6:5e:30:9a:91:7c:d5:5a:86:54:ee:
>          24:c2:60:4a:4d:98:c6:e9:f6:b9:cd:e0:74:ac:e0:17:08:c1:
>          9c:c7:1c:7c:f3:9c:4c:c5:0f:2e:15:cf:35:84:ed:03:b3:d8:
>          90:88:6a:f9:ff:97:d0:82:f0:aa:24:e2:1a:78:ca:63:61:2b:
>          52:9c:bc:6b:46:14:b4:c7:6d:16:13:86:07:4a:e7:5c:a8:7b:
>          9c:76:7a:0f:e2:73:ae:d2:18:7a:92:04:2c:f9:29:ed:71:90:
>          a1:f7:15:1c:5b:e4:93:58:55:fc:12:bb:ec:f4:60:65:bd:1d:
>          0b:30:9b:89:d3:19:39:b6:37:43:1c:90:91:3a:41:6e:6c:c6:
>          09:12:02:33:2e:ec:11:d0:e2:96:e0:6d:ed:fc:6a:89:b9:89:
>          80:02:70:85:f7:01:4c:6a:5b:85:9a:e9:37:a3:7b:3f:ff:d1:
>          2c:00:81:b2:de:83:dc:f2:b6:94:e5:d5:22:c5:4a:98:23:3c:
>          a9:b9:a6:0d:43:41:0c:70:08:96:77:91:34:02:59:61:6c:2f:
>          e5:c4:6f:60
> 

Thank you Dirk-Willem for replying!

I found a workaround for -x509toreq I tried the above and it did not 
generate the X509v3 extentions! Even after I catched the csr.pem vs 
csr.req mistake in the example command.

If someone can get the x509toreq output the X509v3 as expected then I 
would love to see this.

Sadly only Debian Testing is shipping openssl 3.0.8-1 and there is no 
backports package and my other systems also did not ship with version 3 
for testing. https://packages.debian.org/bullseye/openssl

I needed to be able to reuse the same private key so I used both yours 
and David example and came up with this:

openssl genrsa -out key.pem 4096

openssl req -utf8 -x509 -nodes -new -key key.pem -out cert.pem -days 
3653 -subj '/CN=test.example.lan' -addext 'subjectAltName = 
DNS:test.example.lan' -addext 'keyUsage = digitalSignature, keyEncipherment'

openssl req -utf8 -nodes -new -key key.pem -out csr.pem -subj 
'/CN=test.example.lan' -addext 'subjectAltName = DNS:test.example.lan' 
-addext 'keyUsage = digitalSignature, keyEncipherment'

openssl req -in csr.pem -noout -verify
verify OK

openssl req -in csr.pem -text -noout
Certificate Request:
     Data:
         Version: 1 (0x0)
         Subject: CN = test.example.lan
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 RSA Public-Key: (4096 bit)
                 Modulus:
                     00:dc:63:6d:83:41:a3:3f:26:77:02:c8:7c:09:bd:
                     99:56:e2:0d:de:14:f9:23:70:9e:d8:ab:e4:26:ea:
                     b8:43:86:c9:c2:2d:a5:13:eb:63:a6:b2:6a:df:80:
                     b0:56:e6:e0:26:3f:84:c1:61:9c:8f:c4:ea:5d:97:
                     a7:2d:5a:28:a7:ef:ef:60:37:1d:62:54:b8:cc:94:
                     8a:32:ea:ee:ab:84:3f:9b:83:e4:31:76:58:97:92:
                     6d:52:5f:a7:75:56:e5:9c:37:12:26:7e:b6:4e:b1:
                     71:96:f7:4a:b9:78:de:97:51:32:aa:3f:b5:e2:4b:
                     60:72:e0:d8:0f:43:25:63:80:61:78:c2:9c:cd:8d:
                     bf:39:a5:24:78:de:cc:87:30:8b:99:a6:2b:c1:21:
                     52:09:c1:56:21:25:af:28:9f:a1:3f:4a:eb:bd:d9:
                     8e:52:2a:39:c1:97:3a:d4:fe:1a:72:42:57:d6:62:
                     e2:91:67:d6:0e:1b:4a:24:ac:af:c5:ad:3c:f7:a6:
                     76:cc:95:a5:02:84:80:86:fb:6a:a3:60:af:ac:bb:
                     1e:bc:b0:33:d5:6d:34:64:49:57:2f:6c:e5:68:8f:
                     20:8c:b8:cf:5c:eb:ef:27:dd:73:41:07:d4:9a:49:
                     f8:33:50:e9:77:26:e5:57:23:2a:35:e2:83:4b:04:
                     17:6c:d3:55:f8:8d:b2:c3:4f:21:bc:3b:41:bb:56:
                     b4:32:a8:9d:80:81:fb:2c:12:93:23:86:a0:64:c2:
                     a4:b0:a4:a5:e1:ee:a4:5e:38:b1:5e:eb:28:4c:80:
                     61:d4:0d:ef:73:ca:58:01:4c:10:2b:b4:a4:6e:74:
                     bd:0e:90:f3:3a:53:fb:94:eb:d1:c6:60:d2:b9:67:
                     13:72:ff:8f:27:31:f9:c0:11:a7:dd:02:60:3c:fa:
                     f0:a4:d3:87:0d:79:98:f4:95:9d:2d:91:e0:35:d5:
                     12:7c:e3:94:92:ab:07:2c:52:27:2c:47:af:fd:76:
                     73:db:45:0f:91:8a:95:90:0b:a0:03:a1:50:34:d5:
                     d6:01:e1:df:73:96:2c:9a:ff:a9:63:9c:6f:ee:30:
                     03:08:11:c7:11:6a:fb:22:32:75:91:ee:55:55:3b:
                     4c:9d:6b:c9:2c:49:a9:8f:22:cc:77:0c:1f:f3:44:
                     0b:57:ef:25:5d:82:d9:0e:dc:a5:56:63:d0:fc:d0:
                     4e:c0:9b:27:3a:90:6d:36:6b:8d:51:7a:df:5b:a0:
                     25:f9:4d:72:93:96:3d:1c:35:9d:5a:00:1f:a1:42:
                     79:55:d2:02:d5:35:ae:da:38:85:30:d0:0b:7c:4f:
                     0b:55:d8:52:f3:f4:f8:34:5e:f9:20:67:42:6b:0e:
                     fc:a0:37
                 Exponent: 65537 (0x10001)
         Attributes:
         Requested Extensions:
             X509v3 Subject Alternative Name:
                 DNS:test.example.lan
             X509v3 Key Usage:
                 Digital Signature, Key Encipherment
     Signature Algorithm: sha256WithRSAEncryption
          22:ce:c4:11:27:2f:ea:bb:9e:ce:74:e0:fa:b5:cf:b9:6b:26:
          2b:b0:5c:b5:12:11:f0:24:44:30:ac:10:c7:6c:c4:91:a7:62:
          68:f7:16:b9:49:da:d9:0a:df:31:08:fe:49:51:9d:2f:2c:59:
          1b:79:f5:9a:82:4b:ac:29:f8:ab:35:89:2e:1a:05:e6:b8:f1:
          6c:93:ea:39:ce:b3:2b:3f:d3:e7:cb:7d:e9:70:5e:5b:31:83:
          84:ec:d7:69:5b:82:07:0e:7f:6d:db:0c:7c:e4:32:aa:76:a1:
          0f:24:7b:ae:d0:ad:ac:78:44:07:65:c2:64:0f:ec:b4:f8:1e:
          04:ec:be:95:c5:f4:fa:8d:06:dc:7e:c8:ce:c6:44:fc:1d:d2:
          25:91:94:33:0a:9a:c1:47:66:11:48:11:61:eb:28:e8:1e:f7:
          20:06:07:17:b8:3a:aa:3b:84:63:4c:1b:b3:29:56:f6:e5:3e:
          22:6c:9b:be:e9:92:5c:3c:4d:74:03:ec:13:1b:6c:a3:5b:3e:
          31:1f:ff:88:e5:de:f4:c7:ff:5b:21:00:e7:14:ba:e6:ec:28:
          f2:c9:66:01:4f:1f:fc:00:02:f3:e1:81:d8:1a:a2:67:51:d6:
          ff:5f:3a:19:77:19:ab:e7:a6:2a:50:c2:ac:73:e7:0b:e3:61:
          d0:6f:ba:d5:6c:4f:d0:9a:32:0e:2e:83:d5:fd:0b:8f:21:37:
          8e:aa:bd:b8:aa:3f:28:8e:54:84:33:e0:22:50:30:e7:7b:62:
          9b:13:08:ac:d9:d9:55:13:f4:33:ad:c3:24:e0:cb:6a:1e:19:
          28:cc:ed:9c:7f:9f:f9:03:94:74:dd:a0:99:05:d9:39:38:80:
          e4:5d:9b:2f:2b:72:40:2d:40:69:bd:b7:69:47:dd:32:18:1e:
          67:0a:ef:cd:56:de:7c:aa:6a:07:97:4a:6b:91:c9:02:a6:de:
          bf:e3:f0:59:1e:d6:da:37:b0:1f:03:ab:33:dd:38:6c:f4:9c:
          47:5c:de:50:c0:c4:d6:94:29:79:63:3c:e0:23:61:db:ab:c7:
          c7:9a:40:a2:41:e4:a0:98:e6:88:8c:bf:a8:1c:d5:94:76:f2:
          f1:9a:12:3f:cf:e2:b0:f6:2d:c7:e2:2a:b6:50:f9:87:89:6f:
          1c:97:23:88:2f:88:15:8f:f0:88:d9:4c:f5:75:23:f0:4e:76:
          5c:e1:ad:24:00:d8:70:de:8b:f7:34:92:15:48:34:2b:39:19:
          71:d0:53:0b:02:c8:73:2f:b7:94:c7:14:cb:c2:60:60:cc:76:
          96:d4:53:f6:20:cd:70:4c:a9:81:d7:e3:79:6e:1c:d6:77:14:
          93:ad:74:71:c4:d4:ad:ae


More information about the openssl-users mailing list