On 27/01/2022 06:00, Glen Huang wrote:
Hi,
I’m trying to create a signed certificate from a CA certificate without creating a CSR first. From the doc, I came up with this command:
```
openssl req -CA ca.crt -CAkey ca.key -key leaf.key -subj ‘/CN=leaf’ -out leaf.crt
```
However,
```
openssl x509 -in leaf.crt -text -noout
```
reports that it contains:
```
X509v3 Basic Constraints: critical
CA:TRUE
```
Which should be incorrect, since leaf.crt has an issuer and is not a CA.
I wonder if this is by design? Is there a way to omit the basic constraints extension in a leaf certificate?
A close reading of the openssl-req man page will reveal the hint that
explains this:
https://www.openssl.org/docs/man3.0/man1/openssl-req.html
You have used the -CA option. The man page describes this option as follows:
Specifies the "CA" certificate to be used for signing a new certificate
and implies use of -x509. When present, this behaves like a "micro CA"
as follows: The subject name of the "CA" certificate is placed as issuer
name in the new certificate, which is then signed using the "CA" key
given as specified below.
The "implies use of -x509" is significant here. The description of the
"-x509" option says that "X.509 extensions to be added can be specified
in the configuration file". Later the description of the configuration
file format on that man page says:
x509_extensions
This specifies the configuration file section containing a list of
extensions to add to certificate generated when -x509 is in use. It can
be overridden by the -extensions command line switch.
Next if we look at the default config file, we see this:
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert
The comment against "x509_extensions" is actually misleading. These are
actually the extensions to add if the "-x509" option is in use (which is
implied by -CA). Usually if you're just using "-x509" then you are
creating a self-signed cert - but not if you are using "-CA".
So, assuming you are using the default config file settings, then the
extensions to be added are "v3_ca". This has the effect of adding the
"Basic Constraints, CA:TRUE" setting to the certificate. If you comment
out that line from the config file then it won't get added.
Matt