> From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of > Salz, Rich via openssl-users > Sent: Friday, February 07, 2020 09:17 > > I think the mismatch is that CSR extensions are not carried over; they have > to be added at signing time. > See https://github.com/openssl/openssl/issues/10458 Or copied using the copy_extensions option, as noted in the discussion of that issue. In the OpenSSL configuration file used by "openssl ca", in the CA section (that is, the section named by the default_ca option, or in the section specified by the -name parameter to the openssl ca command), add: copy_extensions=copy That will copy all extensions from the CSR that aren't overridden by the specified extensions section. As Rich noted in the discussion of issue 10458, and as should be obvious, this is a major security risk if you don't also control CSR generation (i.e. if your CSRs are tainted). See the documentation for openssl ca for more information. If you don't like using the man command, read the OpenSSL docs online: https://www.openssl.org/docs/man1.1.1/man1/ca.html I'm assuming a reasonably recent version of OpenSSL. So: 1. Make sure your threat model allows copying extensions from CSRs to certificates. 2. Make sure your CA configuration has "copy_extensions=copy" (or possibly copyall, though use cases justifying that are less common). 3. Make sure the CSRs you're generating have the extensions you want. 4. Generate a new CSR or revoke the certificate for one you've already issued, and try again. -- Michael Wojcik
