Re: Problems adding specific extensions to signed certificates

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Feb 7, 2020 at 11:02 AM Sergio NNX <sfhacker@xxxxxxxxxxx> wrote:
>
> This is the basics of OpenSSL!
>
> You would like to add extensions to a CSR or the problem arises when signing it?

Yes, when I sign, I get no extensions that are requested in the CSR.
Nor are any added, when I sign (requested or not).

> > OK, so I read "man 5 x509v3_config", and it's still not clear to me how I get my extensions added to a req.
> Which part is not clear?

Pretty much all of it :-), because I tried doing it the way the man
page showed, and nothing worked for me.
I want the signed cert to have the requested extensions. And also a
SAN, since Chrome isn't happy unless it finds a SAN.
And sometimes more extensions than requested, if need be.

> First, you create a CSR file with the extensions you need/want.
>     (openssl req -new -config user.cnf -key user.key -out user.csr)

No, our CSRs are created by the machine that will use it. (IIS server,
AD DC, Linux phone system, etc). I never create a req, I just sign
incoming ones.

> That's it.

I can sign just fine. What I can't get it is a cert the way I need it
to be ... (well, I can, if I add in a -extfile containing all the
extensions, requested or not).

I can send you the openssl.cnf off list.



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux