This is driving me crazy. I have a CA, running on Debian 9, running openssl 1.1.0. (this CA is for our organization internal use only, of course). I can successfully sign requests. However, what I can't seem to do, is add x509 extensions to the signed certificate, as part of the openssl.cnf. Oh, I can add extensions by signing and using the -extfile option, and specifying a file with the specific options I want to give the certificate. But I don't want to have to use an addon file, I want to add parameters to all signed certificates. keyUsage=digitalSignature,keyEncipherment,dataEncipherment extendedKeyUsage=serverAuth,clientAuth subjectKeyIdentifier=hash (since all requests come from our own servers, I know that I want to be sure that the requesting cert gets these, regardless of what else the request asks for) But I'm having a heck of a time accomplishing this, probably due to my own lack of understanding. I thought that, in the "[ req ]" section of my openssl.cnf, if I have this: #################################################################### # This is the default certificate request settings # [ req ] default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes #x509_extensions = v3_ca # The extensions to add to the self signed cert req_extensions = v3_req x509_extensions = usr_cert [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ usr_cert ] # Extensions for client certificates (`man x509v3_config`). basicConstraints = CA:FALSE nsCertType = client, email nsComment = "PHA Internally generated Client Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer #keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment #extendedKeyUsage = clientAuth, emailProtection # # PHA Added # keyUsage=digitalSignature,keyEncipherment,dataEncipherment extendedKeyUsage=serverAuth,clientAuth subjectKeyIdentifier=hash Then I would get the extensions that I want, since they are in the "[ usr_cert ]" section, which is what is called for the x509_extensions when signing a request. But that turns out not to be the case. What part am I missing, or not understanding? I've got something basic wrong here, I just can't figure out what. Signing command: sudo openssl x509 -req -days 3650 -in requests/<CSR> -CA certs/<Internal-CA-cert> -CAkey private/<internal-CA-key> -CAserial serial -out certs/<signed-CSR> Doing that, I get no extensions. Adding " -extfile cert-extensions", and putting the above extensions in that file, then I *do* get them. I can post the whole openssl.cnf, if need be. Thanks for any help. -- Mike. Leone, <mailto:turgon@xxxxxxxxxxxxxx> PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos> This space reserved for future witticisms ...
