openssl x509 -x509toreq -extensions v3_req will not output version 3 even though input cert.pem is X509v3
David von Oheimb
it at von-Oheimb.de
Thu Apr 27 03:22:07 UTC 2023
P.S. I forgot to mention some parameters in the example for getting a
self-signed cert form a CSR - it should have read
openssl req -x509 -key key.pem -in csr.pem -days 3653 -copy_extensions copy -out cert.pem
or equivalently
openssl x509 -req -key key.pem -in csr.pem -days 3653 -copy_extensions copy -out cert.pem
Another advantage of using the OpenSSL 3.0+ apps is that they
automatically add any needed/recommended
subject key identifier (SKID) and authority key identifier (AKID)
extensions (while they are not needed for self-signed end-entity certs),
without the need to use extension configuration files or CLI parameters
such as -addext 'authorityKeyIdentifier = keyid:always'
On Wed, 2023-04-26 at 21:07 +0200, David von Oheimb wrote:
> On Wed, 2023-04-26 at 17:38 +0200, Jelle de Jong wrote:
>
> I do not see the CSR back in your suggestion.
>
> Yes, because I thought you do not need it because you produce a
> certificate before.
> And where needed, for simplicity and consistency better derive it from
> the certificate rather than creating it from scratch.
>
> Concerning the problem you mentioned that openssl x509 -x509toreq (by
> default) does not copy X509v3 extensions
> (BTW, PKCS#10 version 1 does support X.509 v3 extensions), I added
> support for this in OpenSSL 3.0, to use as follows:
>
> openssl x509 -x509toreq -in cert.pem -signkey key.pem -copy_extensions copy
>
> Even more straightforward would be to produce first a CSR, like this:
>
> openssl req -new -key key.pem -out csr.pem -subj '/CN=test.example.lan' \
> -addext 'subjectAltName = DNS:test.example.lan' \
> -addext 'keyUsage = digitalSignature, keyEncipherment'
>
> and then derive a certificate, using the extension copy feature
> I added to this app as well in OpenSSL 3.0 as follows:
>
> openssl req -x509 -key key.pem -in csr.pem -copy_extensions copy
>
>
> Yet of course both approaches do not work for you as long as you are
> stuck with OpenSSL 1.x.
>
> Sadly only Debian Testing is shipping openssl 3.0.8-1 and there is no
> backports package and my other systems also did not ship with version
> 3
> for testing. https://packages.debian.org/bullseye/openssl
>
> I have the same issue with Debian 11 (bullseye).
> Yet one can easily compile any OpenSSL version 3.x also on any recent
> version of Debian.
> There are nice tutorials how to do this, see for instance here.
>
>
> What I am doing is to create a working but self-signed certificate
> first
> and then replacing it later with a certificate signed by the
> organisation (which can take multiple weeks at this customer).
>
> That is why I want to generate a CSR from a working certificate that
> I generated.
>
> I understand.
>
> -days 3653
>
> PKCS#10 CSRs (as opposed to CRMF CSRs) do not support a validity
> period -
> this needs to be defined and set by the certificate issuer (usually, a
> CA).
>
> -newkey rsa:2048
>
> Is there a way without having to use the -extfile configuration file?
>
> As I see in your below email, you meanwhile found (with the hints
> given before) how to do this.
>
> Kind regards,
> David
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230427/312aa721/attachment.htm>
More information about the openssl-users
mailing list