openssl x509 -x509toreq -extensions v3_req will not output version 3 even though input cert.pem is X509v3

Dirk-Willem van Gulik dirkx at webweaving.org
Wed Apr 26 10:24:20 UTC 2023


On 26 Apr 2023, at 12:11, Jelle de Jong <jelledejong at powercraft.nl> wrote:
> I am trying to generate a CSR with X509v3 from a working X509v3 cert but the output generates a version 1 CSR without X509v3.
> 
> These are the steps to reproduce:
> 
> openssl req -utf8 -x509 -nodes -new -keyout key.pem -out cert.pem -days 3650 -subj '/CN=test.example.lan' -extensions v3_req -addext 'subjectAltName = DNS:test.example.lan'
> 
> openssl x509 -x509toreq -in cert.pem -signkey key.pem -out csr.pem -extensions v3_req -ext subjectAltName,keyUsage,basicConstraints,extendedKeyUsage,certificatePolicies
> 
> openssl req -in csr.pem -noout -verify
> 
> openssl req -in csr.pem -out csr.req
> 
> # show X509v3 Subject Alternative Name:
> openssl x509 -in cert.pem -text -noout
> 
> # does not show X509v3 Subject Alternative Name:
> openssl req -in csr.req -text -noout
> 
> Tried with the bollow two versions
> 
> $ openssl version
> OpenSSL 1.1.1n  15 Mar 2022
> 
> # openssl version
> OpenSSL 1.1.1k  FIPS 25 Mar 2021
> 
> Can someone, do I need a diffrent openssl x509 -x509toreq -extensions …


I’d expect your default openssl.cnf or something to be empty or incomplete.

This should work:

	cat <<EOM > ext.cnf 
	authorityKeyIdentifier=keyid,issuer
	basicConstraints=CA:FALSE
	keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
	EOM

	openssl x509 -x509toreq -in cert.pem -signkey key.pem -out csr.pem -extfile ./ext.cnf
	openssl req -in csr.req -text -noout

Dw.


% cat ext.cnf 
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

% openssl x509 -x509toreq -in cert.pem -signkey key.pem -extfile ./ext.cnf | openssl req -text -noout
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: CN = test.example.lan
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:f1:dc:10:07:5c:d0:2e:27:34:93:29:ff:fb:3f:
                    b0:6e:81:b8:84:5e:1c:a4:56:b5:15:b7:ff:f1:fa:
                    8e:ea:25:f0:03:7c:3a:4c:db:2e:69:7b:09:ae:78:
                    3a:c2:de:50:62:df:61:ed:15:53:53:f2:b5:20:f0:
                    92:71:c0:43:49:f6:72:32:31:ac:63:58:ec:ed:d3:
                    73:42:81:03:fb:06:1e:18:f5:56:75:9d:fe:e7:5f:
                    b0:ac:bb:26:1e:8b:a2:c6:12:4c:98:55:af:4f:35:
                    01:00:b0:2c:05:42:3a:34:ec:28:4f:c7:96:ff:41:
                    b4:5b:6a:78:a8:38:51:73:9b:f8:e8:98:27:93:d5:
                    ac:4b:0c:88:53:d2:3d:67:f5:2e:d9:73:55:1d:b4:
                    4d:f7:2b:13:b2:a0:58:69:f0:22:20:d5:09:ee:5c:
                    a3:d8:bc:f1:d9:3e:1e:82:2a:b0:c9:44:02:e1:a7:
                    eb:0f:8a:4a:de:9d:e5:34:51:7d:aa:5b:e5:a8:40:
                    c8:eb:4f:7b:56:38:bc:91:3a:bd:71:82:f5:b7:f7:
                    81:69:aa:5d:65:88:ca:e3:99:16:32:55:10:fd:4d:
                    f9:16:7e:72:63:98:ea:31:26:76:2a:87:7e:6d:e4:
                    35:ef:ce:79:c7:5c:c1:96:25:31:6f:1b:fc:f8:71:
                    97:59
                Exponent: 65537 (0x10001)
        Attributes:
            Requested Extensions:
                X509v3 Authority Key Identifier:                      DirName:/CN=test.example.lan
                    serial:39:87:74:CF:10:D6:65:50:B4:AF:45:3A:1D:87:98:7A:D3:B5:16:EF
                X509v3 Basic Constraints:                      CA:FALSE
                X509v3 Key Usage:                      Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        ac:8a:5a:14:61:2f:59:21:b3:60:02:80:a5:c5:62:19:33:22:
        0f:98:da:0b:36:9f:00:86:94:67:30:16:b8:ca:ea:e9:35:f7:
        67:e3:c4:4a:40:d9:55:f6:5e:30:9a:91:7c:d5:5a:86:54:ee:
        24:c2:60:4a:4d:98:c6:e9:f6:b9:cd:e0:74:ac:e0:17:08:c1:
        9c:c7:1c:7c:f3:9c:4c:c5:0f:2e:15:cf:35:84:ed:03:b3:d8:
        90:88:6a:f9:ff:97:d0:82:f0:aa:24:e2:1a:78:ca:63:61:2b:
        52:9c:bc:6b:46:14:b4:c7:6d:16:13:86:07:4a:e7:5c:a8:7b:
        9c:76:7a:0f:e2:73:ae:d2:18:7a:92:04:2c:f9:29:ed:71:90:
        a1:f7:15:1c:5b:e4:93:58:55:fc:12:bb:ec:f4:60:65:bd:1d:
        0b:30:9b:89:d3:19:39:b6:37:43:1c:90:91:3a:41:6e:6c:c6:
        09:12:02:33:2e:ec:11:d0:e2:96:e0:6d:ed:fc:6a:89:b9:89:
        80:02:70:85:f7:01:4c:6a:5b:85:9a:e9:37:a3:7b:3f:ff:d1:
        2c:00:81:b2:de:83:dc:f2:b6:94:e5:d5:22:c5:4a:98:23:3c:
        a9:b9:a6:0d:43:41:0c:70:08:96:77:91:34:02:59:61:6c:2f:
        e5:c4:6f:60



More information about the openssl-users mailing list