Re: Openssl req signs certificate with "Basic Constraints: CA: TRUE"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks Matt,

After disabling the default config, basic constraints are omitted.

It seems a more revealing description is in “-config”: for a description of the default value, see "COMMAND SUMMARY" in openssl(1).

I didn’t know “-config" has a default value and it usually points to the one shipped with openssl. Thanks for bringing my attention to it.

Regards,
Glen

On Jan 27, 2022, at 8:25 PM, Matt Caswell <matt@xxxxxxxxxxx> wrote:



On 27/01/2022 06:00, Glen Huang wrote:
Hi,
I’m trying to create a signed certificate from a CA certificate without creating a CSR first. From the doc, I came up with this command:
```
openssl req -CA ca.crt -CAkey ca.key -key leaf.key -subj ‘/CN=leaf’ -out leaf.crt
```
However,
```
openssl x509 -in leaf.crt -text -noout
```
reports that it contains:
```
X509v3 Basic Constraints: critical
    CA:TRUE
```
Which should be incorrect, since leaf.crt has an issuer and is not a CA.
I wonder if this is by design? Is there a way to omit the basic constraints extension in a leaf certificate?

A close reading of the openssl-req man page will reveal the hint that explains this:

https://www.openssl.org/docs/man3.0/man1/openssl-req.html

You have used the -CA option. The man page describes this option as follows:

Specifies the "CA" certificate to be used for signing a new certificate and implies use of -x509. When present, this behaves like a "micro CA" as follows: The subject name of the "CA" certificate is placed as issuer name in the new certificate, which is then signed using the "CA" key given as specified below.

The "implies use of -x509" is significant here. The description of the "-x509" option says that "X.509 extensions to be added can be specified in the configuration file". Later the description of the configuration file format on that man page says:

x509_extensions
This specifies the configuration file section containing a list of extensions to add to certificate generated when -x509 is in use. It can be overridden by the -extensions command line switch.


Next if we look at the default config file, we see this:

[ req ]
default_bits = 2048
default_keyfile  = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert


The comment against "x509_extensions" is actually misleading. These are actually the extensions to add if the "-x509" option is in use (which is implied by -CA). Usually if you're just using "-x509" then you are creating a self-signed cert - but not if you are using "-CA".

So, assuming you are using the default config file settings, then the extensions to be added are "v3_ca". This has the effect of adding the "Basic Constraints, CA:TRUE" setting to the certificate. If you comment out that line from the config file then it won't get added.

Matt


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux