> On Jan 13, 2016, at 1:22 PM, Mauro Romano Trajber <trajber at gmail.com> wrote: > > In which section? > > On section [CA_default] I have 'copy_extensions = copy' In case you find it useful, I am attaching a bash script I use to generate certificate chains for various automated tests. This does not use any customized .cnf files, and bypasses the ca(1) utility, just signs directly via "openssl x509 -req" and extension settings created on the fly via "-extfile <(printf ...)". -------------- next part -------------- A non-text attachment was scrubbed... Name: mkcert Type: application/octet-stream Size: 2872 bytes Desc: not available URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160113/ce03cd51/attachment.obj> -------------- next part -------------- The keys created are always EC P-256 keys, but you can change that part of the script if you want RSA instead. $ ./mkcert genroot "Root CA" rootkey rootcert $ ./mkcert genca "Issuer CA" cakey cacert rootkey rootcert $ ./mkcert genee "$(uname -n)" eekey eecert cakey cacert $ openssl x509 -in eecert.pem -text -noout | egrep 'DNS:|Subject|Issuer' Issuer: CN = Issuer CA Subject: CN = vpro.lan Subject Public Key Info: X509v3 Subject Key Identifier: X509v3 Subject Alternative Name: DNS:vpro.lan -- Viktor.
