On Thu, Feb 6, 2020 at 5:45 PM Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> wrote:
On Thu, Feb 06, 2020 at 02:36:03PM -0500, Michael Leone wrote:
> Oh, I can add extensions by signing and using the -extfile option, and
> specifying a file with the specific options I want to give the
> certificate. But I don't want to have to use an addon file, I want to
> add parameters to all signed certificates.
The documentation of x509(1) which you're using with "-req" as a
mini-CA, states explicitly:
-extfile filename
File containing certificate extensions to use. If not specified
then no extensions are added to the certificate.
-extensions section
The section to add certificate extensions from. If this option is
not specified then the extensions should either be contained in the
unnamed (default) section or the default section should contain a
variable called "extensions" which contains the section to use. See
the x509v3_config(5) manual page for details of the extension
section format.
Ok. I'm not really a Linux guy, but I guess that means to do a "man 5 x509v3_config"?
I'll check when I get to work. I guess I just have a section mislabeled, or I need to call a section differently?
However, you don't need to create any static .cnf files with the desired
settings. You can specify a "-extfile" on the fly via bash(1) inline
files:
openssl x509 -extfile <(printf "..." ....) ...
which is the approach taken in:
https://github.com/openssl/openssl/blob/master/test/certs/mkcert.sh
As I said, not really a Linux guy. More, I need to write this as a HOWTO for the others in my department, who have little (well, no) Linux experience. I can tell them what changes to make to a text file, and how to scp it to the Linux box, and then a step-by-step how to sign a cert using said file, and then scp it back to where it needs to be (we're a Windows place, with rare exceptions).
I'll look into it tomorrow at work. If I have further issues, I'll be back. :-)
Thanks for the help.
