Problems adding specific extensions to signed certificates

Michael Leone turgon at
Thu Feb 6 23:55:12 UTC 2020

On Thu, Feb 6, 2020 at 5:45 PM Viktor Dukhovni <openssl-users at>

> On Thu, Feb 06, 2020 at 02:36:03PM -0500, Michael Leone wrote:
> > Oh, I can add extensions by signing and using the -extfile option, and
> > specifying a file with the specific options I want to give the
> > certificate. But I don't want to have to use an addon file, I want to
> > add parameters to all signed certificates.
> The documentation of x509(1) which you're using with "-req" as a
> mini-CA, states explicitly:
>        -extfile filename
>            File containing certificate extensions to use. If not specified
>            then no extensions are added to the certificate.
>        -extensions section
>            The section to add certificate extensions from. If this option
> is
>            not specified then the extensions should either be contained in
> the
>            unnamed (default) section or the default section should contain
> a
>            variable called "extensions" which contains the section to use.
> See
>            the x509v3_config(5) manual page for details of the extension
>            section format.
Ok. I'm not really a Linux guy, but I guess that means to do a "man 5

I'll check when I get to work. I guess I just have a section mislabeled, or
I need to call a section differently?

> However, you don't need to create any static .cnf files with the desired
> settings.  You can specify a "-extfile" on the fly via bash(1) inline
> files:
>     openssl x509 -extfile <(printf "..." ....) ...
> which is the approach taken in:

As I said, not really a Linux guy. More, I need to write this as a HOWTO
for the others in my department, who have little (well, no) Linux
experience. I can tell them what changes to make to a text file, and how to
scp it to the Linux box, and then a step-by-step how to sign a cert using
said file, and then scp it back to where it needs to be (we're a Windows
place, with rare exceptions).

I'll look into it tomorrow at work. If I have further issues, I'll be back.

Thanks for the help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list