[openssl-users] overriding v3 extensions

Jakob Bohm jb-openssl at wisemo.com
Mon Mar 23 05:56:54 UTC 2015

On 21/03/2015 20:31, Thomas Tanner wrote:
> Hello,
> I'd like to set individual v3 extensions (in particular subjectAltname)
> when signing certificate requests (CSR) and use CA defaults for the
> other extensions.
> Is it possible to achieve this without passing the complete list of
> extensions for the certificate via -config or -extfile ?
> Example:
> I have a certificate request with subj=/CN=foo/emailAddress=foo at bar.com/
> and subjectAltname=email:foo at bar.com,DNS:bar.com
> and a default section for extensions v3_ext in openssl.cnf
> (authorityInfoAccess etc).
> I can change the subject of the CSR using "openssl req -subj newsubj".
> However, changing the extensions isn't that easy:
> I have tried to change the subjectAltname of the CSR to no avail with
> "openssl req -config extcfg -reqexts ext" with extcfg:
> [ext]
> subjAltname=newaltname
> If this was working, I would have added copy_extensions=copy in
> openssl.cnf and removed subjectAltname from the v3_ext section,
> so that subjectAltName would be copied from the modified CSR and merged
> with the defaults.
> It seems I need copy the whole v3_ext section from openssl.cnf, replace
> subjectAltname with the desired value and run "openssl ca -extfile
> extcfg -extensions v3_ext"
Assuming that you meant "openssl req"

You need to copy the relevant request extensions (not
certificate extensions) section from openssl.cnf, along
with the 5 other request related sections (globals,
[new_oids], [req], [req_attributes] and
[req_distinguished_name]).  In practice, you can set up
a template file that simply ends with the [v3_req] section
(containing only "basicConstraings = CA:FALSE"), then
simply append the desired extensions to a copy, something
like this:

( cat openssl_req_tpl.cnf
echo keyUsage = ...
echo extendedKeyUsage = ...
echo nsCertType = ...
echo subjectAltName = @alt_names
echo [alt_names]
echo DNS.0 = ...
echo DNS.1 = ...
) > temp_req.cnf
openssl req -config temp_req.cnf -new ...

On Windows simply change the first line to
( type openssl_req_tpl.cnf

> Is there any other solution that does not require extracting v3_ext from
> openssl.cnf?
See above for my recipe, which doesn't reference the
computers local "openssl.cnf" (which probably contains
junk from whatever installed openssl), but essentially
the answer is no.

As for the original problem of configuring an openssl-based
ca to copy some attributes from the incoming request, and
others from its own list of mandatory values, this is more
tricky, and I don't currently have a good solution.

Note in particular that the CA doesn't have a trusted copy
of the requestors config file, just the digitally signed
binary data in the request.

Possible solutions:

a) Display (with
     openssl req -noout -text -in somefile.req
) all the data in the request when prompting the CA
operator to accept or deny the signing request, then
just use "copy_extensions = copy" .  Also include any
mandatory extension values in the CA's openssl.cnf
(those will override the values in the request),
however there seems to be no config option to specify
a list of acceptable extensions or even a list of
extensions to not include at all.

b) Write a complex script which parses the output from
"openssl req -noout -text -in somefile.req" and writes
the acceptable extensions to a temporary CA config
file.  This is going to be hard.

c) Use the source code of "openssl ca" (apps/ca.c) to
create an enhanced ca app which has the missing feature.


Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list