RE: Problems adding specific extensions to signed certificates

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of
> Salz, Rich via openssl-users
> Sent: Friday, February 07, 2020 09:17
>
> I think the mismatch is that CSR extensions are not carried over; they have
> to be added at signing time.
> See https://github.com/openssl/openssl/issues/10458

Or copied using the copy_extensions option, as noted in the discussion of that issue.

In the OpenSSL configuration file used by "openssl ca", in the CA section (that is, the section named by the default_ca option, or in the section specified by the -name parameter to the openssl ca command), add:

        copy_extensions=copy

That will copy all extensions from the CSR that aren't overridden by the specified extensions section. As Rich noted in the discussion of issue 10458, and as should be obvious, this is a major security risk if you don't also control CSR generation (i.e. if your CSRs are tainted).

See the documentation for openssl ca for more information. If you don't like using the man command, read the OpenSSL docs online:

        https://www.openssl.org/docs/man1.1.1/man1/ca.html

I'm assuming a reasonably recent version of OpenSSL.

So:
1. Make sure your threat model allows copying extensions from CSRs to certificates.
2. Make sure your CA configuration has "copy_extensions=copy" (or possibly copyall, though use cases justifying that are less common).
3. Make sure the CSRs you're generating have the extensions you want.
4. Generate a new CSR or revoke the certificate for one you've already issued, and try again.

--
Michael Wojcik




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux