X509V3_EXT_nconf_int:error in extension:crypto/x509/v3_conf.c:48:section=req_ext, name=extendedKeyUsage, value=

Viktor Dukhovni openssl-users at dukhovni.org
Wed Jul 5 16:15:02 UTC 2023

On Wed, Jul 05, 2023 at 11:51:42AM -0400, Robert Moskowitz wrote:

> I have:
> [ req_ext ]
> basicConstraints = $ENV::basicConstraints
> keyUsage = $ENV::certkeyusage
> extendedKeyUsage = $ENV::certextkeyusage
> subjectAltName = $ENV::subjectAltName
> And sometimes I want these variables to be empty.  That is not to be 
> included in the csr.
> I thought that I had this working, but guess not.
> How can I have is so that some csr are created with all of these and 
> others only some?

Use separate config files.  I always construct config files "on the fly":

    $ openssl ... -config <(
        cat common-bits.cnf
        printf " ... custom bits %s ... \n" "$arg1" ...
        printf " ... more custom bits %s ... \n" "$arg1" ...

And don't use the "$ENV" feature.  For advanced examples of that
pattern see:


It depends on your shell (e.g. bash) supporting inline <( ... ) files
(under the covers /dev/fd/<pipe-fd-number>).  Works for any file that
is read sequentially from the start without seeking (pipes don't lseek).

You can of course also curate multiple config templates that use various
subsets of the desired parameters, or a single script can look at which
environment variables are set and generate the correspondig config on
the fly as above, or in tempfile:

    cnf=$(mktemp -t cnf.XXXXXX)
    trap 'rc=$?; '"rm -f ${cnf}; "'exit $rc' EXIT HUP INT TERM

    ... generate custom config in "$cnf" ...
    openssl -config "$cnf" ....


More information about the openssl-users mailing list