Problems adding specific extensions to signed certificates
Michael Leone
turgon at mike-leone.com
Thu Feb 6 23:55:12 UTC 2020
On Thu, Feb 6, 2020 at 5:45 PM Viktor Dukhovni <openssl-users at dukhovni.org>
wrote:
> On Thu, Feb 06, 2020 at 02:36:03PM -0500, Michael Leone wrote:
>
> > Oh, I can add extensions by signing and using the -extfile option, and
> > specifying a file with the specific options I want to give the
> > certificate. But I don't want to have to use an addon file, I want to
> > add parameters to all signed certificates.
>
> The documentation of x509(1) which you're using with "-req" as a
> mini-CA, states explicitly:
>
> -extfile filename
> File containing certificate extensions to use. If not specified
> then no extensions are added to the certificate.
>
> -extensions section
> The section to add certificate extensions from. If this option
> is
> not specified then the extensions should either be contained in
> the
> unnamed (default) section or the default section should contain
> a
> variable called "extensions" which contains the section to use.
> See
> the x509v3_config(5) manual page for details of the extension
> section format.
>
>
Ok. I'm not really a Linux guy, but I guess that means to do a "man 5
x509v3_config"?
I'll check when I get to work. I guess I just have a section mislabeled, or
I need to call a section differently?
> However, you don't need to create any static .cnf files with the desired
> settings. You can specify a "-extfile" on the fly via bash(1) inline
> files:
>
> openssl x509 -extfile <(printf "..." ....) ...
>
> which is the approach taken in:
>
> https://github.com/openssl/openssl/blob/master/test/certs/mkcert.sh
As I said, not really a Linux guy. More, I need to write this as a HOWTO
for the others in my department, who have little (well, no) Linux
experience. I can tell them what changes to make to a text file, and how to
scp it to the Linux box, and then a step-by-step how to sign a cert using
said file, and then scp it back to where it needs to be (we're a Windows
place, with rare exceptions).
I'll look into it tomorrow at work. If I have further issues, I'll be back.
:-)
Thanks for the help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20200206/fd452df6/attachment-0001.html>
More information about the openssl-users
mailing list