<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
This is the basics of OpenSSL!<br>
<div><br>
</div>
<div>You would like to add extensions to a CSR or the problem arises when signing it?<br>
</div>
<div><br>
</div>
<div>You create a CSR (without extension file) and then you can check/inspect whether or not it shows the extension(s) you need/want. After that, you can sign the CSR.</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>> Ok. I'm not really a Linux guy, but I guess that means to do a "man 5 x509v3_config"?<br>
</div>
<div>I believe this odd issue has nothing to do with Linux, Mac and/or Windows.<br>
</div>
<div><br>
</div>
<div>> OK, so I read "man 5 x509v3_config", and it's still not clear to me how I get my extensions added to a req.<br>
</div>
<div>Which part is not clear?<br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>> Obviously I'm missing something basic. Can anyone point out what I am doing wrong?<br>
</div>
<div>Indeed you are!<br>
</div>
<div><br>
</div>
<div>We use Windows, the latest OpenSSL version and only one .cnf file. No issues at all.<br>
</div>
<div><br>
</div>
<div>First, you create a CSR file with the extensions you need/want.<br>
</div>
<div> (openssl req -new -config user.cnf -key user.key -out user.csr)<br>
</div>
<div><br>
</div>
<div>Then, you sign the CSR<br>
</div>
<div> (openssl ca -notext -config user.cnf -in user.csr -passin .....)<br>
</div>
<div><br>
</div>
<div>That's it. <br>
</div>
<div><br>
</div>
<div>You could email me your (complete) .cnf file with all the extensions you need and I can run the above commands locally to see whether or not there is something wrong/incomplete with your .cnf file.</div>
<div><br>
</div>
<div><br>
</div>
<div>>>> user.cnf<br>
</div>
<div><br>
</div>
<div>...<br>
</div>
<div>...<br>
</div>
<div>[ req_distinguished_name ]<br>
</div>
<div> 0.domainComponent = localhost<br>
</div>
<div> countryName = GB<br>
</div>
<div> stateOrProvinceName = London<br>
</div>
<div> localityName = Westminster<br>
</div>
<div> title = Mr<br>
</div>
<div> description = End User Certificate<br>
</div>
<div> commonName = testuser<br>
</div>
<div> emailAddress = support@winradius.eu<br>
</div>
<div> userId = testuser<br>
</div>
<div> organizationalUnitName = IT Department<br>
</div>
<div> serialNumber = 1234-2020-GB<br>
</div>
<div><br>
</div>
<div>...<br>
</div>
<div>...<br>
</div>
<div><br>
</div>
<div>[ user_cert ]<br>
</div>
<div> basicConstraints = critical,CA:false,pathlen:0<br>
</div>
<div> keyUsage = critical,keyEncipherment<br>
</div>
<div> subjectKeyIdentifier = hash<br>
</div>
<div> authorityKeyIdentifier = keyid:always,issuer:always<br>
</div>
<div> nsCertType = client<br>
</div>
<div> extendedKeyUsage = emailProtection<br>
</div>
<div> crlDistributionPoints = @crl_dp<br>
</div>
<div> authorityInfoAccess = caIssuers;URI:http://localhost/rootca.der<br>
</div>
<div> certificatePolicies = ia5org,@policy<br>
</div>
<div>...</div>
<div>...<br>
</div>
</div>
<div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b> openssl-users <openssl-users-bounces@openssl.org> on behalf of Michael Leone <turgon@mike-leone.com><br>
<b>Sent:</b> Saturday, 8 February 2020 2:01 AM<br>
<b>To:</b> openssl-users@openssl.org <openssl-users@openssl.org><br>
<b>Subject:</b> Re: Problems adding specific extensions to signed certificates</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt">
<div class="PlainText">On Thu, Feb 6, 2020 at 5:45 PM Viktor Dukhovni<br>
<openssl-users@dukhovni.org> wrote:<br>
><br>
> On Thu, Feb 06, 2020 at 02:36:03PM -0500, Michael Leone wrote:<br>
><br>
> > Oh, I can add extensions by signing and using the -extfile option, and<br>
> > specifying a file with the specific options I want to give the<br>
> > certificate. But I don't want to have to use an addon file, I want to<br>
> > add parameters to all signed certificates.<br>
><br>
> The documentation of x509(1) which you're using with "-req" as a<br>
> mini-CA, states explicitly:<br>
><br>
> -extfile filename<br>
> File containing certificate extensions to use. If not specified<br>
> then no extensions are added to the certificate.<br>
><br>
> -extensions section<br>
> The section to add certificate extensions from. If this option is<br>
> not specified then the extensions should either be contained in the<br>
> unnamed (default) section or the default section should contain a<br>
> variable called "extensions" which contains the section to use. See<br>
> the x509v3_config(5) manual page for details of the extension<br>
> section format.<br>
<br>
OK, so I read "man 5 x509v3_config", and it's still not clear to me<br>
how I get my extensions added to a req.<br>
I am following thsi example page from RedHat<br>
<br>
<a href="https://access.redhat.com/solutions/28965">https://access.redhat.com/solutions/28965</a><br>
<br>
So what is the secret I am missing? The way I am reading it, in the "[<br>
req ]", section I need to add<br>
<br>
x509_extensions = usr_cert # Desired extensions section<br>
<br>
and in "[ usr_cert ]", I have added the "KeyUsage" and<br>
"ExtendedKeyUsage" values I want.<br>
<br>
which I have done, and which is not giving me what I want.<br>
<br>
Obviously I'm missing something basic. Can anyone point out what I am<br>
doing wrong?<br>
<br>
The example page shows signing using a separate extensions file, which<br>
I can do, and have done, and that gives me those extensions. But why<br>
doesn't it work without that extension file??<br>
</div>
</span></font></div>
</div>
</body>
</html>