Problems adding specific extensions to signed certificates

Michael Leone turgon at
Fri Feb 7 16:05:29 UTC 2020

On Fri, Feb 7, 2020 at 10:30 AM Michael Richardson <mcr at> wrote:
> Michael Leone <turgon at> wrote:
>     > On Fri, Feb 7, 2020 at 8:54 AM Michael Leone <turgon at> wrote:
>     >> Thanks, tho, I did learn a thing or two. I see from this example
>     >>
>     >> openssl req -config $cfgdir/openssl-root.cnf $passin \
>     >> -set_serial 0x$(openssl rand -hex $sn)\
>     >> -keyform $format -outform $format\
>     >> -key $rootca/private/ca.key.$format -subj "$DN"\
>     >> -new -x509 -days 7300 -sha256 -extensions v3_ca\
>     >> -out $cadir/certs/ca.cert.$format
>     >>
>     >>
>     >> That maybe I can pass the explicit section that has the extensions
>     >> that I want, from the command line. I will try that. In my case, the
>     >> "[ usr_cert ]" or perhaps "[ server_cert ]".
>     > Nope, no key extensions in the generated cert, even when passing
>     > "-extensions user_cert" on the CLI.
>     > I'll keep plugging away, I guess.
> What's in the [user_cert] stanza?

This: (the "user" is a typo; the entry reads "usr", and that is what I
used in the CLI invocation.

# Extensions for client certificates (`man x509v3_config`).
[ usr_cert ]
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "PHA Internally generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = @alt_names

I did get it to work, on the signing command by doing this:

sudo openssl x509 -req -days 3650 -in requests/<CSR> -CA
certs/<CA-Cert> -CAkey private/<CA-Private-Key< -CAserial serial -out
certs/<signed-cert> -extensions PHA_extensions -extfile

with the file "cert-extensions":

[ PHA_extensions ]
basicConstraints = critical,CA:FALSE

I couldn't get any extensions - none, or SAN, into the cert any other
way. Nor did the cert have the CSR requested extensions, until I added
them in that file. This is in the CSR:

       Requested Extensions:
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment,
Data Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication

(I am using a IIS server to make the requests, as the vast majority of
certs that I will sign will come either from IIS, or a Windows server)


Mike. Leone, <mailto:turgon at>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <>

This space reserved for future witticisms ...

More information about the openssl-users mailing list