On Thu, Feb 06, 2020 at 02:36:03PM -0500, Michael Leone wrote:
> Oh, I can add extensions by signing and using the -extfile option, and
> specifying a file with the specific options I want to give the
> certificate. But I don't want to have to use an addon file, I want to
> add parameters to all signed certificates.
The documentation of x509(1) which you're using with "-req" as a
mini-CA, states explicitly:
-extfile filename
File containing certificate extensions to use. If not specified
then no extensions are added to the certificate.
-extensions section
The section to add certificate extensions from. If this option is
not specified then the extensions should either be contained in the
unnamed (default) section or the default section should contain a
variable called "extensions" which contains the section to use. See
the x509v3_config(5) manual page for details of the extension
section format.
> What part am I missing, or not understanding? I've got something basic
> wrong here, I just can't figure out what.
See above.
> Signing command:
>
> sudo openssl x509 -req -days 3650 -in requests/<CSR> \
> -CA certs/<Internal-CA-cert> \
> -CAkey private/<internal-CA-key> \
> -CAserial serial -out certs/<signed-CSR>
>
> Doing that, I get no extensions.
As documented.
> Adding " -extfile cert-extensions", and putting the above extensions
> in that file, then I *do* get them.
As documented.
> I can post the whole openssl.cnf, if need be.
However, you don't need to create any static .cnf files with the desired
settings. You can specify a "-extfile" on the fly via bash(1) inline
files:
openssl x509 -extfile <(printf "..." ....) ...
which is the approach taken in:
https://github.com/openssl/openssl/blob/master/test/certs/mkcert.sh
--
Viktor.
