On Fri, Feb 7, 2020 at 10:30 AM Michael Richardson <mcr@xxxxxxxxxxxx> wrote:
>
>
> Michael Leone <turgon@xxxxxxxxxxxxxx> wrote:
> > On Fri, Feb 7, 2020 at 8:54 AM Michael Leone <turgon@xxxxxxxxxxxxxx> wrote:
> >> Thanks, tho, I did learn a thing or two. I see from this example
> >>
> >> openssl req -config $cfgdir/openssl-root.cnf $passin \
> >> -set_serial 0x$(openssl rand -hex $sn)\
> >> -keyform $format -outform $format\
> >> -key $rootca/private/ca.key.$format -subj "$DN"\
> >> -new -x509 -days 7300 -sha256 -extensions v3_ca\
> >> -out $cadir/certs/ca.cert.$format
> >>
> >>
> >> That maybe I can pass the explicit section that has the extensions
> >> that I want, from the command line. I will try that. In my case, the
> >> "[ usr_cert ]" or perhaps "[ server_cert ]".
>
> > Nope, no key extensions in the generated cert, even when passing
> > "-extensions user_cert" on the CLI.
>
> > I'll keep plugging away, I guess.
>
> What's in the [user_cert] stanza?
This: (the "user" is a typo; the entry reads "usr", and that is what I
used in the CLI invocation.
# Extensions for client certificates (`man x509v3_config`).
[ usr_cert ]
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "PHA Internally generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage=digitalSignature,keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectKeyIdentifier=hash
subjectAltName = @alt_names
I did get it to work, on the signing command by doing this:
sudo openssl x509 -req -days 3650 -in requests/<CSR> -CA
certs/<CA-Cert> -CAkey private/<CA-Private-Key< -CAserial serial -out
certs/<signed-cert> -extensions PHA_extensions -extfile
cert-extensions
with the file "cert-extensions":
[ PHA_extensions ]
basicConstraints = critical,CA:FALSE
keyUsage=digitalSignature,keyEncipherment,dataEncipherment,nonRepudiation
extendedKeyUsage=serverAuth,clientAuth
subjectKeyIdentifier=hash
subjectAltName=DNS.1:<FQDN>
I couldn't get any extensions - none, or SAN, into the cert any other
way. Nor did the cert have the CSR requested extensions, until I added
them in that file. This is in the CSR:
Requested Extensions:
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment,
Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
(I am using a IIS server to make the requests, as the vast majority of
certs that I will sign will come either from IIS, or a Windows server)
--
Mike. Leone, <mailto:turgon@xxxxxxxxxxxxxx>
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>
This space reserved for future witticisms ...
