Generating X509 Version 2 certificate
openssl-users at dukhovni.org
Fri Jul 10 14:55:30 UTC 2020
On Fri, Jul 10, 2020 at 05:46:44PM +0530, Varun Rapelly wrote:
> I would like to create a self signed certificate with X509 version 2.
Why exactly "version 2". Are you per chance confused by the wire
encoding of X509 versions?
X.509 version 1 <-> 0 in certificate version field /* original specification */
X.509 version 2 <-> 1 in certificate version field /* largely unused */
X.509 version 3 <-> 2 in certificate version field /* modern specification */
X.509 Version 2 introduced the concept of subject and issuer unique
identifiers to handle the possibility of reuse of subject and/or
issuer names over time. Most certificate profile documents strongly
recommend that names not be reused, and that certificates should not
make use of unique identifiers. Version 2 certificates are not
> I know that we need to configure "Issuer and subject unique identifiers"
> for X509 v2 format certificate, but not able to find the configuration
> required (in openssl.conf) to enable it.
These fields are *optional*. You do not need to set these.
OpenSSL supports X.509v3, and has minimal support v2. You can
inspect the optional unique ids via:
void X509_get0_uids(const X509 *x, const ASN1_BIT_STRING **piuid,
const ASN1_BIT_STRING **psuid)
if (piuid != NULL)
*piuid = x->cert_info.issuerUID;
if (psuid != NULL)
*psuid = x->cert_info.subjectUID;
but there's no support for setting these, other than by parsing
an ASN.1 X.509v2 encoded object that already has them.
> Please let me know how to enable the above mentioned
> extensions for creating X509v2 format certificate?
> Following below steps to create the certificate:
> mkdir newcerts
> touch index.txt
> echo '01' > serial
> cp ~/TLS_Cert/X509v2/ca.key .
> cp ~/TLS_Cert/X509v2/ca.crt .
> cp ~/TLS_Cert/X509v2/ca.cnf .
> read answer
> openssl ca -config ca.cnf -out example.org.crt -infiles request.csr
> cat example.org.crt
There is no support for encoding these deprecated fields.
More information about the openssl-users