Problems adding specific extensions to signed certificates

Michael Leone turgon at
Fri Feb 7 16:12:11 UTC 2020

On Fri, Feb 7, 2020 at 11:02 AM Sergio NNX <sfhacker at> wrote:
> This is the basics of OpenSSL!
> You would like to add extensions to a CSR or the problem arises when signing it?

Yes, when I sign, I get no extensions that are requested in the CSR.
Nor are any added, when I sign (requested or not).

> > OK, so I read "man 5 x509v3_config", and it's still not clear to me how I get my extensions added to a req.
> Which part is not clear?

Pretty much all of it :-), because I tried doing it the way the man
page showed, and nothing worked for me.
I want the signed cert to have the requested extensions. And also a
SAN, since Chrome isn't happy unless it finds a SAN.
And sometimes more extensions than requested, if need be.

> First, you create a CSR file with the extensions you need/want.
>     (openssl req -new -config user.cnf -key user.key -out user.csr)

No, our CSRs are created by the machine that will use it. (IIS server,
AD DC, Linux phone system, etc). I never create a req, I just sign
incoming ones.

> That's it.

I can sign just fine. What I can't get it is a cert the way I need it
to be ... (well, I can, if I add in a -extfile containing all the
extensions, requested or not).

I can send you the openssl.cnf off list.

More information about the openssl-users mailing list