Problems adding specific extensions to signed certificates
turgon at mike-leone.com
Fri Feb 7 16:12:11 UTC 2020
On Fri, Feb 7, 2020 at 11:02 AM Sergio NNX <sfhacker at hotmail.com> wrote:
> This is the basics of OpenSSL!
> You would like to add extensions to a CSR or the problem arises when signing it?
Yes, when I sign, I get no extensions that are requested in the CSR.
Nor are any added, when I sign (requested or not).
> > OK, so I read "man 5 x509v3_config", and it's still not clear to me how I get my extensions added to a req.
> Which part is not clear?
Pretty much all of it :-), because I tried doing it the way the man
page showed, and nothing worked for me.
I want the signed cert to have the requested extensions. And also a
SAN, since Chrome isn't happy unless it finds a SAN.
And sometimes more extensions than requested, if need be.
> First, you create a CSR file with the extensions you need/want.
> (openssl req -new -config user.cnf -key user.key -out user.csr)
No, our CSRs are created by the machine that will use it. (IIS server,
AD DC, Linux phone system, etc). I never create a req, I just sign
> That's it.
I can sign just fine. What I can't get it is a cert the way I need it
to be ... (well, I can, if I add in a -extfile containing all the
extensions, requested or not).
I can send you the openssl.cnf off list.
More information about the openssl-users