Problems adding specific extensions to signed certificates

Viktor Dukhovni openssl-users at
Thu Feb 6 22:45:09 UTC 2020

On Thu, Feb 06, 2020 at 02:36:03PM -0500, Michael Leone wrote:

> Oh, I can add extensions by signing and using the -extfile option, and
> specifying a file with the specific options I want to give the
> certificate. But I don't want to have to use an addon file, I want to
> add parameters to all signed certificates.

The documentation of x509(1) which you're using with "-req" as a
mini-CA, states explicitly:

       -extfile filename
           File containing certificate extensions to use. If not specified
           then no extensions are added to the certificate.

       -extensions section
           The section to add certificate extensions from. If this option is
           not specified then the extensions should either be contained in the
           unnamed (default) section or the default section should contain a
           variable called "extensions" which contains the section to use. See
           the x509v3_config(5) manual page for details of the extension
           section format.

> What part am I missing, or not understanding? I've got something basic
> wrong here, I just can't figure out what.

See above.

> Signing command:
> sudo openssl x509 -req -days 3650 -in requests/<CSR> \
>   -CA certs/<Internal-CA-cert> \
>   -CAkey private/<internal-CA-key> \
>   -CAserial serial -out certs/<signed-CSR>
> Doing that, I get no extensions.

As documented.

> Adding " -extfile cert-extensions", and putting the above extensions
> in that file, then I *do* get them.

As documented.

> I can post the whole openssl.cnf, if need be.

However, you don't need to create any static .cnf files with the desired
settings.  You can specify a "-extfile" on the fly via bash(1) inline

    openssl x509 -extfile <(printf "..." ....) ...

which is the approach taken in:


More information about the openssl-users mailing list