Re: Problems adding specific extensions to signed certificates

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Feb 7, 2020 at 1:46 PM Michael Leone <turgon@xxxxxxxxxxxxxx> wrote:
>
> On Fri, Feb 7, 2020 at 12:35 PM Michael Wojcik
> <Michael.Wojcik@xxxxxxxxxxxxxx> wrote:
> > Or copied using the copy_extensions option, as noted in the discussion of that issue.
> >
> > In the OpenSSL configuration file used by "openssl ca", in the CA section (that is, the section named by the default_ca option, or in the section specified by the -name parameter to the openssl ca command), add:
> >
> >         copy_extensions=copy
> >
> > That will copy all extensions from the CSR that aren't overridden by the specified extensions section. As Rich noted in the discussion of issue 10458, and as should be obvious, this is a major security risk if you don't also control CSR generation (i.e. if your CSRs are tainted).
>
> I will try that. Since I deal only in cert requests generated

Nope; didn't work for me. I get no extensions listed in the cert at
all, not the ones requested by the CSR, not the ones listed in the CA.
Nuthin. LOL

Only if I use the -extfile parameter do I get extensions, and those
may not be what the CSR is requesting.

How is that this works for everyone else, and not me? :-)




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux