On Fri, Feb 7, 2020 at 8:54 AM Michael Leone <turgon@xxxxxxxxxxxxxx> wrote: > Thanks, tho, I did learn a thing or two. I see from this example > > openssl req -config $cfgdir/openssl-root.cnf $passin \ > -set_serial 0x$(openssl rand -hex $sn)\ > -keyform $format -outform $format\ > -key $rootca/private/ca.key.$format -subj "$DN"\ > -new -x509 -days 7300 -sha256 -extensions v3_ca\ > -out $cadir/certs/ca.cert.$format > > > That maybe I can pass the explicit section that has the extensions > that I want, from the command line. I will try that. In my case, the > "[ usr_cert ]" or perhaps "[ server_cert ]". Nope, no key extensions in the generated cert, even when passing "-extensions user_cert" on the CLI. I'll keep plugging away, I guess.
