On Fri, Feb 7, 2020 at 11:02 AM Sergio NNX <sfhacker@xxxxxxxxxxx> wrote: > > This is the basics of OpenSSL! > > You would like to add extensions to a CSR or the problem arises when signing it? Yes, when I sign, I get no extensions that are requested in the CSR. Nor are any added, when I sign (requested or not). > > OK, so I read "man 5 x509v3_config", and it's still not clear to me how I get my extensions added to a req. > Which part is not clear? Pretty much all of it :-), because I tried doing it the way the man page showed, and nothing worked for me. I want the signed cert to have the requested extensions. And also a SAN, since Chrome isn't happy unless it finds a SAN. And sometimes more extensions than requested, if need be. > First, you create a CSR file with the extensions you need/want. > (openssl req -new -config user.cnf -key user.key -out user.csr) No, our CSRs are created by the machine that will use it. (IIS server, AD DC, Linux phone system, etc). I never create a req, I just sign incoming ones. > That's it. I can sign just fine. What I can't get it is a cert the way I need it to be ... (well, I can, if I add in a -extfile containing all the extensions, requested or not). I can send you the openssl.cnf off list.
