[openssl-users] overriding v3 extensions

Thomas Tanner tanner at gmx.net
Sat Mar 21 19:31:08 UTC 2015


I'd like to set individual v3 extensions (in particular subjectAltname)
when signing certificate requests (CSR) and use CA defaults for the
other extensions.
Is it possible to achieve this without passing the complete list of
extensions for the certificate via -config or -extfile ?

I have a certificate request with subj=/CN=foo/emailAddress=foo at bar.com/
and subjectAltname=email:foo at bar.com,DNS:bar.com
and a default section for extensions v3_ext in openssl.cnf
(authorityInfoAccess etc).
I can change the subject of the CSR using "openssl req -subj newsubj".
However, changing the extensions isn't that easy:

I have tried to change the subjectAltname of the CSR to no avail with
"openssl req -config extcfg -reqexts ext" with extcfg:

If this was working, I would have added copy_extensions=copy in
openssl.cnf and removed subjectAltname from the v3_ext section,
so that subjectAltName would be copied from the modified CSR and merged
with the defaults.

It seems I need copy the whole v3_ext section from openssl.cnf, replace
subjectAltname with the desired value and run "openssl ca -extfile
extcfg -extensions v3_ext"

Is there any other solution that does not require extracting v3_ext from

Thank you!

More information about the openssl-users mailing list