openssl x509 -x509toreq -extensions v3_req will not output version 3 even though input cert.pem is X509v3

Jelle de Jong <jelledejong@xxxxxxxxxxxxx> · Wed, 26 Apr 2023 12:11:55 +0200

Hello everybody,

I am trying to generate a CSR with X509v3 from a working X509v3 cert but 
the output generates a version 1 CSR without X509v3.

These are the steps to reproduce:

openssl req -utf8 -x509 -nodes -new -keyout key.pem -out cert.pem -days 
3650 -subj '/CN=test.example.lan' -extensions v3_req -addext 
'subjectAltName = DNS:test.example.lan'

openssl x509 -x509toreq -in cert.pem -signkey key.pem -out csr.pem 
-extensions v3_req -ext 
subjectAltName,keyUsage,basicConstraints,extendedKeyUsage,certificatePolicies

openssl req -in csr.pem -noout -verify

openssl req -in csr.pem -out csr.req

# show X509v3 Subject Alternative Name:
openssl x509 -in cert.pem -text -noout

# does not show X509v3 Subject Alternative Name:
openssl req -in csr.req -text -noout

Tried with the bollow two versions

$ openssl version
OpenSSL 1.1.1n  15 Mar 2022

# openssl version
OpenSSL 1.1.1k  FIPS 25 Mar 2021

Can someone, do I need a diffrent openssl x509 -x509toreq -extensions ...

Thank you in advance,

Kind regards,

Jelle de Jong