Problems adding specific extensions to signed certificates

Michael Leone turgon at
Fri Feb 7 15:01:03 UTC 2020

On Thu, Feb 6, 2020 at 5:45 PM Viktor Dukhovni
<openssl-users at> wrote:
> On Thu, Feb 06, 2020 at 02:36:03PM -0500, Michael Leone wrote:
> > Oh, I can add extensions by signing and using the -extfile option, and
> > specifying a file with the specific options I want to give the
> > certificate. But I don't want to have to use an addon file, I want to
> > add parameters to all signed certificates.
> The documentation of x509(1) which you're using with "-req" as a
> mini-CA, states explicitly:
>        -extfile filename
>            File containing certificate extensions to use. If not specified
>            then no extensions are added to the certificate.
>        -extensions section
>            The section to add certificate extensions from. If this option is
>            not specified then the extensions should either be contained in the
>            unnamed (default) section or the default section should contain a
>            variable called "extensions" which contains the section to use. See
>            the x509v3_config(5) manual page for details of the extension
>            section format.

OK, so I read "man 5 x509v3_config", and it's still not clear to me
how I get my extensions added to a req.
I am following thsi example page from RedHat

So what is the secret I am missing? The way I am reading it, in the "[
req ]", section I need to add

x509_extensions          = usr_cert             # Desired extensions section

and in "[ usr_cert ]", I have added the "KeyUsage" and
"ExtendedKeyUsage" values I want.

which I have done, and which is not giving me what I want.

Obviously I'm missing something basic. Can anyone point out what I am
doing wrong?

The example page shows signing using a separate extensions file, which
I can do, and have done, and that gives me those extensions. But why
doesn't it work without that extension file??

More information about the openssl-users mailing list