Openssl req signs certificate with "Basic Constraints: CA: TRUE"

Thu Jan 27 13:09:10 UTC 2022

Thanks Matt,

After disabling the default config, basic constraints are omitted.

It seems a more revealing description is in “-config”: for a description of the default value, see "COMMAND SUMMARY" in openssl(1).

I didn’t know “-config" has a default value and it usually points to the one shipped with openssl. Thanks for bringing my attention to it.

Regards,
Glen

> On Jan 27, 2022, at 8:25 PM, Matt Caswell <matt at openssl.org> wrote:
> 
> 
> 
> On 27/01/2022 06:00, Glen Huang wrote:
>> Hi,
>> I’m trying to create a signed certificate from a CA certificate without creating a CSR first. From the doc, I came up with this command:
>> ```
>> openssl req -CA ca.crt -CAkey ca.key -key leaf.key -subj ‘/CN=leaf’ -out leaf.crt
>> ```
>> However,
>> ```
>> openssl x509 -in leaf.crt -text -noout
>> ```
>> reports that it contains:
>> ```
>> X509v3 Basic Constraints: critical
>>     CA:TRUE
>> ```
>> Which should be incorrect, since leaf.crt has an issuer and is not a CA.
>> I wonder if this is by design? Is there a way to omit the basic constraints extension in a leaf certificate?
> 
> A close reading of the openssl-req man page will reveal the hint that explains this:
> 
> https://www.openssl.org/docs/man3.0/man1/openssl-req.html <https://www.openssl.org/docs/man3.0/man1/openssl-req.html>
> 
> You have used the -CA option. The man page describes this option as follows:
> 
> Specifies the "CA" certificate to be used for signing a new certificate and implies use of -x509. When present, this behaves like a "micro CA" as follows: The subject name of the "CA" certificate is placed as issuer name in the new certificate, which is then signed using the "CA" key given as specified below.
> 
> The "implies use of -x509" is significant here. The description of the "-x509" option says that "X.509 extensions to be added can be specified in the configuration file". Later the description of the configuration file format on that man page says:
> 
> x509_extensions
> This specifies the configuration file section containing a list of extensions to add to certificate generated when -x509 is in use. It can be overridden by the -extensions command line switch.
> 
> 
> Next if we look at the default config file, we see this:
> 
> [ req ]
> default_bits		= 2048
> default_keyfile 	= privkey.pem
> distinguished_name	= req_distinguished_name
> attributes		= req_attributes
> x509_extensions	= v3_ca	# The extensions to add to the self signed cert
> 
> 
> The comment against "x509_extensions" is actually misleading. These are actually the extensions to add if the "-x509" option is in use (which is implied by -CA). Usually if you're just using "-x509" then you are creating a self-signed cert - but not if you are using "-CA".
> 
> So, assuming you are using the default config file settings, then the extensions to be added are "v3_ca". This has the effect of adding the "Basic Constraints, CA:TRUE" setting to the certificate. If you comment out that line from the config file then it won't get added.
> 
> Matt

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220127/7536c52d/attachment-0001.htm>