| Thanks Matt,
After disabling the default config, basic constraints are omitted.
It seems a more revealing description is in “-config”: for a description of the default value, see "COMMAND SUMMARY" in openssl(1).
I didn’t know “-config" has a default value and it usually points to the one shipped with openssl. Thanks for bringing my attention to it.
Regards, Glen
On 27/01/2022 06:00, Glen Huang wrote:Hi,
I’m trying to create a signed certificate from a CA certificate without creating a CSR first. From the doc, I came up with this command:
```
openssl req -CA ca.crt -CAkey ca.key -key leaf.key -subj ‘/CN=leaf’ -out leaf.crt
```
However,
```
openssl x509 -in leaf.crt -text -noout
```
reports that it contains:
```
X509v3 Basic Constraints: critical
CA:TRUE
```
Which should be incorrect, since leaf.crt has an issuer and is not a CA.
I wonder if this is by design? Is there a way to omit the basic constraints extension in a leaf certificate?
A close reading of the openssl-req man page will reveal the hint that explains this:https://www.openssl.org/docs/man3.0/man1/openssl-req.htmlYou have used the -CA option. The man page describes this option as follows:Specifies the "CA" certificate to be used for signing a new certificate and implies use of -x509. When present, this behaves like a "micro CA" as follows: The subject name of the "CA" certificate is placed as issuer name in the new certificate, which is then signed using the "CA" key given as specified below.The "implies use of -x509" is significant here. The description of the "-x509" option says that "X.509 extensions to be added can be specified in the configuration file". Later the description of the configuration file format on that man page says:x509_extensionsThis specifies the configuration file section containing a list of extensions to add to certificate generated when -x509 is in use. It can be overridden by the -extensions command line switch.Next if we look at the default config file, we see this:[ req ]default_bits = 2048default_keyfile = privkey.pemdistinguished_name = req_distinguished_nameattributes = req_attributesx509_extensions = v3_ca # The extensions to add to the self signed certThe comment against "x509_extensions" is actually misleading. These are actually the extensions to add if the "-x509" option is in use (which is implied by -CA). Usually if you're just using "-x509" then you are creating a self-signed cert - but not if you are using "-CA".So, assuming you are using the default config file settings, then the extensions to be added are "v3_ca". This has the effect of adding the "Basic Constraints, CA:TRUE" setting to the certificate. If you comment out that line from the config file then it won't get added.Matt
|
