openssl x509 -x509toreq -extensions v3_req will not output version 3 even though input cert.pem is X509v3
Jelle de Jong
jelledejong at powercraft.nl
Wed Apr 26 16:45:35 UTC 2023
On 4/26/23 12:24, Dirk-Willem van Gulik wrote:
> On 26 Apr 2023, at 12:11, Jelle de Jong <jelledejong at powercraft.nl> wrote:
>> I am trying to generate a CSR with X509v3 from a working X509v3 cert but the output generates a version 1 CSR without X509v3.
>>
>> These are the steps to reproduce:
>>
>> openssl req -utf8 -x509 -nodes -new -keyout key.pem -out cert.pem -days 3650 -subj '/CN=test.example.lan' -extensions v3_req -addext 'subjectAltName = DNS:test.example.lan'
>>
>> openssl x509 -x509toreq -in cert.pem -signkey key.pem -out csr.pem -extensions v3_req -ext subjectAltName,keyUsage,basicConstraints,extendedKeyUsage,certificatePolicies
>>
>> openssl req -in csr.pem -noout -verify
>>
>> openssl req -in csr.pem -out csr.req
>>
>> # show X509v3 Subject Alternative Name:
>> openssl x509 -in cert.pem -text -noout
>>
>> # does not show X509v3 Subject Alternative Name:
>> openssl req -in csr.req -text -noout
>>
>> Tried with the bollow two versions
>>
>> $ openssl version
>> OpenSSL 1.1.1n 15 Mar 2022
>>
>> # openssl version
>> OpenSSL 1.1.1k FIPS 25 Mar 2021
>>
>> Can someone, do I need a diffrent openssl x509 -x509toreq -extensions …
>
>
> I’d expect your default openssl.cnf or something to be empty or incomplete.
>
> This should work:
>
> cat <<EOM > ext.cnf
> authorityKeyIdentifier=keyid,issuer
> basicConstraints=CA:FALSE
> keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
> EOM
>
> openssl x509 -x509toreq -in cert.pem -signkey key.pem -out csr.pem -extfile ./ext.cnf
> openssl req -in csr.req -text -noout
>
> Dw.
>
>
> % cat ext.cnf
> authorityKeyIdentifier=keyid,issuer
> basicConstraints=CA:FALSE
> keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
>
> % openssl x509 -x509toreq -in cert.pem -signkey key.pem -extfile ./ext.cnf | openssl req -text -noout
> Certificate Request:
> Data:
> Version: 1 (0x0)
> Subject: CN = test.example.lan
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (2048 bit)
> Modulus:
> 00:f1:dc:10:07:5c:d0:2e:27:34:93:29:ff:fb:3f:
> b0:6e:81:b8:84:5e:1c:a4:56:b5:15:b7:ff:f1:fa:
> 8e:ea:25:f0:03:7c:3a:4c:db:2e:69:7b:09:ae:78:
> 3a:c2:de:50:62:df:61:ed:15:53:53:f2:b5:20:f0:
> 92:71:c0:43:49:f6:72:32:31:ac:63:58:ec:ed:d3:
> 73:42:81:03:fb:06:1e:18:f5:56:75:9d:fe:e7:5f:
> b0:ac:bb:26:1e:8b:a2:c6:12:4c:98:55:af:4f:35:
> 01:00:b0:2c:05:42:3a:34:ec:28:4f:c7:96:ff:41:
> b4:5b:6a:78:a8:38:51:73:9b:f8:e8:98:27:93:d5:
> ac:4b:0c:88:53:d2:3d:67:f5:2e:d9:73:55:1d:b4:
> 4d:f7:2b:13:b2:a0:58:69:f0:22:20:d5:09:ee:5c:
> a3:d8:bc:f1:d9:3e:1e:82:2a:b0:c9:44:02:e1:a7:
> eb:0f:8a:4a:de:9d:e5:34:51:7d:aa:5b:e5:a8:40:
> c8:eb:4f:7b:56:38:bc:91:3a:bd:71:82:f5:b7:f7:
> 81:69:aa:5d:65:88:ca:e3:99:16:32:55:10:fd:4d:
> f9:16:7e:72:63:98:ea:31:26:76:2a:87:7e:6d:e4:
> 35:ef:ce:79:c7:5c:c1:96:25:31:6f:1b:fc:f8:71:
> 97:59
> Exponent: 65537 (0x10001)
> Attributes:
> Requested Extensions:
> X509v3 Authority Key Identifier: DirName:/CN=test.example.lan
> serial:39:87:74:CF:10:D6:65:50:B4:AF:45:3A:1D:87:98:7A:D3:B5:16:EF
> X509v3 Basic Constraints: CA:FALSE
> X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
> Signature Algorithm: sha256WithRSAEncryption
> Signature Value:
> ac:8a:5a:14:61:2f:59:21:b3:60:02:80:a5:c5:62:19:33:22:
> 0f:98:da:0b:36:9f:00:86:94:67:30:16:b8:ca:ea:e9:35:f7:
> 67:e3:c4:4a:40:d9:55:f6:5e:30:9a:91:7c:d5:5a:86:54:ee:
> 24:c2:60:4a:4d:98:c6:e9:f6:b9:cd:e0:74:ac:e0:17:08:c1:
> 9c:c7:1c:7c:f3:9c:4c:c5:0f:2e:15:cf:35:84:ed:03:b3:d8:
> 90:88:6a:f9:ff:97:d0:82:f0:aa:24:e2:1a:78:ca:63:61:2b:
> 52:9c:bc:6b:46:14:b4:c7:6d:16:13:86:07:4a:e7:5c:a8:7b:
> 9c:76:7a:0f:e2:73:ae:d2:18:7a:92:04:2c:f9:29:ed:71:90:
> a1:f7:15:1c:5b:e4:93:58:55:fc:12:bb:ec:f4:60:65:bd:1d:
> 0b:30:9b:89:d3:19:39:b6:37:43:1c:90:91:3a:41:6e:6c:c6:
> 09:12:02:33:2e:ec:11:d0:e2:96:e0:6d:ed:fc:6a:89:b9:89:
> 80:02:70:85:f7:01:4c:6a:5b:85:9a:e9:37:a3:7b:3f:ff:d1:
> 2c:00:81:b2:de:83:dc:f2:b6:94:e5:d5:22:c5:4a:98:23:3c:
> a9:b9:a6:0d:43:41:0c:70:08:96:77:91:34:02:59:61:6c:2f:
> e5:c4:6f:60
>
Thank you Dirk-Willem for replying!
I found a workaround for -x509toreq I tried the above and it did not
generate the X509v3 extentions! Even after I catched the csr.pem vs
csr.req mistake in the example command.
If someone can get the x509toreq output the X509v3 as expected then I
would love to see this.
Sadly only Debian Testing is shipping openssl 3.0.8-1 and there is no
backports package and my other systems also did not ship with version 3
for testing. https://packages.debian.org/bullseye/openssl
I needed to be able to reuse the same private key so I used both yours
and David example and came up with this:
openssl genrsa -out key.pem 4096
openssl req -utf8 -x509 -nodes -new -key key.pem -out cert.pem -days
3653 -subj '/CN=test.example.lan' -addext 'subjectAltName =
DNS:test.example.lan' -addext 'keyUsage = digitalSignature, keyEncipherment'
openssl req -utf8 -nodes -new -key key.pem -out csr.pem -subj
'/CN=test.example.lan' -addext 'subjectAltName = DNS:test.example.lan'
-addext 'keyUsage = digitalSignature, keyEncipherment'
openssl req -in csr.pem -noout -verify
verify OK
openssl req -in csr.pem -text -noout
Certificate Request:
Data:
Version: 1 (0x0)
Subject: CN = test.example.lan
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:dc:63:6d:83:41:a3:3f:26:77:02:c8:7c:09:bd:
99:56:e2:0d:de:14:f9:23:70:9e:d8:ab:e4:26:ea:
b8:43:86:c9:c2:2d:a5:13:eb:63:a6:b2:6a:df:80:
b0:56:e6:e0:26:3f:84:c1:61:9c:8f:c4:ea:5d:97:
a7:2d:5a:28:a7:ef:ef:60:37:1d:62:54:b8:cc:94:
8a:32:ea:ee:ab:84:3f:9b:83:e4:31:76:58:97:92:
6d:52:5f:a7:75:56:e5:9c:37:12:26:7e:b6:4e:b1:
71:96:f7:4a:b9:78:de:97:51:32:aa:3f:b5:e2:4b:
60:72:e0:d8:0f:43:25:63:80:61:78:c2:9c:cd:8d:
bf:39:a5:24:78:de:cc:87:30:8b:99:a6:2b:c1:21:
52:09:c1:56:21:25:af:28:9f:a1:3f:4a:eb:bd:d9:
8e:52:2a:39:c1:97:3a:d4:fe:1a:72:42:57:d6:62:
e2:91:67:d6:0e:1b:4a:24:ac:af:c5:ad:3c:f7:a6:
76:cc:95:a5:02:84:80:86:fb:6a:a3:60:af:ac:bb:
1e:bc:b0:33:d5:6d:34:64:49:57:2f:6c:e5:68:8f:
20:8c:b8:cf:5c:eb:ef:27:dd:73:41:07:d4:9a:49:
f8:33:50:e9:77:26:e5:57:23:2a:35:e2:83:4b:04:
17:6c:d3:55:f8:8d:b2:c3:4f:21:bc:3b:41:bb:56:
b4:32:a8:9d:80:81:fb:2c:12:93:23:86:a0:64:c2:
a4:b0:a4:a5:e1:ee:a4:5e:38:b1:5e:eb:28:4c:80:
61:d4:0d:ef:73:ca:58:01:4c:10:2b:b4:a4:6e:74:
bd:0e:90:f3:3a:53:fb:94:eb:d1:c6:60:d2:b9:67:
13:72:ff:8f:27:31:f9:c0:11:a7:dd:02:60:3c:fa:
f0:a4:d3:87:0d:79:98:f4:95:9d:2d:91:e0:35:d5:
12:7c:e3:94:92:ab:07:2c:52:27:2c:47:af:fd:76:
73:db:45:0f:91:8a:95:90:0b:a0:03:a1:50:34:d5:
d6:01:e1:df:73:96:2c:9a:ff:a9:63:9c:6f:ee:30:
03:08:11:c7:11:6a:fb:22:32:75:91:ee:55:55:3b:
4c:9d:6b:c9:2c:49:a9:8f:22:cc:77:0c:1f:f3:44:
0b:57:ef:25:5d:82:d9:0e:dc:a5:56:63:d0:fc:d0:
4e:c0:9b:27:3a:90:6d:36:6b:8d:51:7a:df:5b:a0:
25:f9:4d:72:93:96:3d:1c:35:9d:5a:00:1f:a1:42:
79:55:d2:02:d5:35:ae:da:38:85:30:d0:0b:7c:4f:
0b:55:d8:52:f3:f4:f8:34:5e:f9:20:67:42:6b:0e:
fc:a0:37
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
DNS:test.example.lan
X509v3 Key Usage:
Digital Signature, Key Encipherment
Signature Algorithm: sha256WithRSAEncryption
22:ce:c4:11:27:2f:ea:bb:9e:ce:74:e0:fa:b5:cf:b9:6b:26:
2b:b0:5c:b5:12:11:f0:24:44:30:ac:10:c7:6c:c4:91:a7:62:
68:f7:16:b9:49:da:d9:0a:df:31:08:fe:49:51:9d:2f:2c:59:
1b:79:f5:9a:82:4b:ac:29:f8:ab:35:89:2e:1a:05:e6:b8:f1:
6c:93:ea:39:ce:b3:2b:3f:d3:e7:cb:7d:e9:70:5e:5b:31:83:
84:ec:d7:69:5b:82:07:0e:7f:6d:db:0c:7c:e4:32:aa:76:a1:
0f:24:7b:ae:d0:ad:ac:78:44:07:65:c2:64:0f:ec:b4:f8:1e:
04:ec:be:95:c5:f4:fa:8d:06:dc:7e:c8:ce:c6:44:fc:1d:d2:
25:91:94:33:0a:9a:c1:47:66:11:48:11:61:eb:28:e8:1e:f7:
20:06:07:17:b8:3a:aa:3b:84:63:4c:1b:b3:29:56:f6:e5:3e:
22:6c:9b:be:e9:92:5c:3c:4d:74:03:ec:13:1b:6c:a3:5b:3e:
31:1f:ff:88:e5:de:f4:c7:ff:5b:21:00:e7:14:ba:e6:ec:28:
f2:c9:66:01:4f:1f:fc:00:02:f3:e1:81:d8:1a:a2:67:51:d6:
ff:5f:3a:19:77:19:ab:e7:a6:2a:50:c2:ac:73:e7:0b:e3:61:
d0:6f:ba:d5:6c:4f:d0:9a:32:0e:2e:83:d5:fd:0b:8f:21:37:
8e:aa:bd:b8:aa:3f:28:8e:54:84:33:e0:22:50:30:e7:7b:62:
9b:13:08:ac:d9:d9:55:13:f4:33:ad:c3:24:e0:cb:6a:1e:19:
28:cc:ed:9c:7f:9f:f9:03:94:74:dd:a0:99:05:d9:39:38:80:
e4:5d:9b:2f:2b:72:40:2d:40:69:bd:b7:69:47:dd:32:18:1e:
67:0a:ef:cd:56:de:7c:aa:6a:07:97:4a:6b:91:c9:02:a6:de:
bf:e3:f0:59:1e:d6:da:37:b0:1f:03:ab:33:dd:38:6c:f4:9c:
47:5c:de:50:c0:c4:d6:94:29:79:63:3c:e0:23:61:db:ab:c7:
c7:9a:40:a2:41:e4:a0:98:e6:88:8c:bf:a8:1c:d5:94:76:f2:
f1:9a:12:3f:cf:e2:b0:f6:2d:c7:e2:2a:b6:50:f9:87:89:6f:
1c:97:23:88:2f:88:15:8f:f0:88:d9:4c:f5:75:23:f0:4e:76:
5c:e1:ad:24:00:d8:70:de:8b:f7:34:92:15:48:34:2b:39:19:
71:d0:53:0b:02:c8:73:2f:b7:94:c7:14:cb:c2:60:60:cc:76:
96:d4:53:f6:20:cd:70:4c:a9:81:d7:e3:79:6e:1c:d6:77:14:
93:ad:74:71:c4:d4:ad:ae
More information about the openssl-users
mailing list