openssl x509 -x509toreq -extensions v3_req will not output version 3 even though input cert.pem is X509v3

David von Oheimb it at
Thu Apr 27 03:22:07 UTC 2023

P.S. I forgot to mention some parameters in the example for getting a
self-signed cert form a CSR - it should have read

openssl req -x509 -key key.pem -in csr.pem -days 3653 -copy_extensions copy -out cert.pem

or equivalently

openssl x509 -req -key key.pem -in csr.pem -days 3653 -copy_extensions copy -out cert.pem

Another advantage of using the OpenSSL 3.0+ apps is that they
automatically add any needed/recommended 
subject key identifier (SKID) and authority key identifier (AKID)
extensions (while they are not needed for self-signed end-entity certs),
without the need to use extension configuration files or CLI parameters
such as -addext 'authorityKeyIdentifier = keyid:always'

On Wed, 2023-04-26 at 21:07 +0200, David von Oheimb wrote:
> On Wed, 2023-04-26 at 17:38 +0200, Jelle de Jong wrote:
> I do not see the CSR back in your suggestion.
> Yes, because I thought you do not need it because you produce a
> certificate before.
> And where needed, for simplicity and consistency better derive it from
> the certificate rather than creating it from scratch.
> Concerning the problem you mentioned that openssl x509 -x509toreq (by
> default) does not copy X509v3 extensions
> (BTW, PKCS#10 version 1 does support X.509 v3 extensions), I added
> support for this in OpenSSL 3.0, to use as follows:
> openssl x509 -x509toreq -in cert.pem -signkey key.pem -copy_extensions copy
> Even more straightforward would be to produce first a CSR, like this:
> openssl req -new -key key.pem -out csr.pem -subj '/CN=test.example.lan' \
>   -addext 'subjectAltName = DNS:test.example.lan' \
>   -addext 'keyUsage = digitalSignature, keyEncipherment'
> and then derive a certificate, using the extension copy feature
> I added to this app as well in OpenSSL 3.0 as follows: 
> openssl req -x509 -key key.pem -in csr.pem -copy_extensions copy 
> Yet of course both approaches do not work for you as long as you are
> stuck with OpenSSL 1.x.
> Sadly only Debian Testing is shipping openssl 3.0.8-1 and there is no 
> backports package and my other systems also did not ship with version
>> for testing.
> I have the same issue with Debian 11 (bullseye).
> Yet one can easily compile any OpenSSL version 3.x also on any recent
> version of Debian.
> There are nice tutorials how to do this, see for instance here.
> What I am doing is to create a working but self-signed certificate
> first 
> and then replacing it later with a certificate signed by the 
> organisation (which can take multiple weeks at this customer).
> That is why I want to generate a CSR from a working certificate that
> I generated.
> I understand.
> -days 3653
> PKCS#10 CSRs (as opposed to CRMF CSRs) do not support a validity
> period - 
> this needs to be defined and set by the certificate issuer (usually, a
> CA).
> -newkey rsa:2048
> Is there a way without having to use the -extfile configuration file?
> As I see in your below email, you meanwhile found (with the hints
> given before) how to do this.
> Kind regards,
>  David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list