Generating X509 Version 2 certificate

Viktor Dukhovni openssl-users at
Fri Jul 10 14:55:30 UTC 2020

On Fri, Jul 10, 2020 at 05:46:44PM +0530, Varun Rapelly wrote:

> I would like to create a self signed certificate with X509 version 2.

Why exactly "version 2".  Are you per chance confused by the wire
encoding of X509 versions?

    X.509 version 1 <-> 0 in certificate version field  /* original specification */
    X.509 version 2 <-> 1 in certificate version field  /* largely unused */
    X.509 version 3 <-> 2 in certificate version field  /* modern specification */

    X.509 Version 2 introduced the concept of subject and issuer unique
    identifiers to handle the possibility of reuse of subject and/or
    issuer names over time. Most certificate profile documents strongly
    recommend that names not be reused, and that certificates should not
    make use of unique identifiers. Version 2 certificates are not
    widely used.

> I know that we need to configure "Issuer and subject unique identifiers"
> for X509 v2 format certificate, but not able to find the configuration
> required (in openssl.conf) to enable it.

These fields are *optional*.  You do not need to set these.

OpenSSL supports X.509v3, and has minimal support v2.  You can
inspect the optional unique ids via:

    void X509_get0_uids(const X509 *x, const ASN1_BIT_STRING **piuid,
                        const ASN1_BIT_STRING **psuid)
        if (piuid != NULL)
            *piuid = x->cert_info.issuerUID;
        if (psuid != NULL)
            *psuid = x->cert_info.subjectUID;

but there's no support for setting these, other than by parsing
an ASN.1 X.509v2 encoded object that already has them.

> Please let me know how to enable the above mentioned
> extensions for creating X509v2 format certificate?
> Following below steps to create the certificate:
>     mkdir newcerts
>     touch index.txt
>     echo '01' > serial
>     cp ~/TLS_Cert/X509v2/ca.key .
>     cp ~/TLS_Cert/X509v2/ca.crt .
>     cp ~/TLS_Cert/X509v2/ca.cnf .
>      read answer
>     openssl ca -config ca.cnf -out -infiles request.csr
>     cat

There is no support for encoding these deprecated fields.


More information about the openssl-users mailing list