Need some help signing a certificate request

rgordey at centerprism.com rgordey at centerprism.com
Sat Aug 21 17:26:03 UTC 2021


My openssl.cnf (I have tried `\` and `\\` and `/` directory separators):

[ ca ]
default_ca = testca

[ testca ]
dir = .
certificate = $dir\\ca_certificate.pem
database = $dir\\index.txt
new_certs_dir = $dir\\certs
private_key = $dir\\private\\ca_private_key.pem
serial = $dir\\serial

default_crl_days = 7
default_days = 365
default_md = sha256

policy = testca_policy
x509_extensions = certificate_extensions

[ testca_policy ]
commonName = supplied
stateOrProvinceName = optional
countryName = optional
emailAddress = optional
organizationName = optional
organizationalUnitName = optional
domainComponent = optional

[ certificate_extensions ]
basicConstraints = CA:false

[ req ]
default_bits = 2048
default_keyfile = .\\private\\ca_private_key.pem
default_md = sha256
prompt = yes
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions

[ root_ca_distinguished_name ]
commonName = hostname

[ root_ca_extensions ]
basicConstraints = CA:true
keyUsage = keyCertSign, cRLSign

[ client_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.2

[ server_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1



-----Original Message-----
From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of Michael Wojcik
Sent: Saturday, August 21, 2021 1:22 PM
To: openssl-users at openssl.org
Subject: RE: Need some help signing a certificate request

> From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of 
> rgordey at centerprism.com
> Sent: Saturday, 21 August, 2021 09:48

> Thanks for the comment. I have tried both `/` and `\` with no change.

Most or all Windows APIs, and most programs, support the forward slash as a directory separator. The exceptions are mostly the cmd.exe built-ins.

> On Sat, Aug 21, 2021 at 09:21 <mailto:rgordey at centerprism.com> wrote 
> When I type ‘openssl ca -config .\openssl.cnf -in ../server/req.pem 
> -out

We need to see the contents of openssl.cnf. It might also help to have the CSR (req.pem). Since a CSR doesn't contain the private key (the CA should never see the private key), this is safe to share.

--
Michael Wojcik



More information about the openssl-users mailing list