Hello Jelle,
you simply confused the versions. For X.509 the latest version is 3, while PKCS#10 CSRs are stuck with v1.
For this plain old CSR format there is no later one. See also https://www.rfc-editor.org/rfc/rfc2986#section-4.
BTW, I wonder why you first produce a certificate, skipping the CSR (cert request) step, and then produce a CSR.
You don't need a CSR when all you need is a self-signed (end-entity or root CA) certificate.
Better stop using OpenSSL 1.1.x - its support will end in September, but switch to 3.0 (with long-term support).
For producing such a simple certificate, you don't need to rely on any OpenSSL config (*.cnf) file.
Better do not use RSA with just 1024 bits anymore, but 2048 bits.
And to be be precise with 10 years of validity, take leap years into account.
For the extensions, all you need is any subject alternative names.
And to be be precise with 10 years of validity, take leap years into account.
For the extensions, all you need is any subject alternative names.
For key usage, with RSA keys only digitalSignature and keyEncipherment makes sense,
while for EC keys only digitalSignature and keyAgreement makes sense,
but this can simply be left out, meaning that any key usage is allowed (which is safe for more situations).
but this can simply be left out, meaning that any key usage is allowed (which is safe for more situations).
So I suggest this:
openssl req -x509 -new -newkey rsa:2048 -nodes -keyout key.pem \
-out cert.pem -days 3653 -subj '/CN=test.example.lan' \
-addext 'subjectAltName = DNS:test.example.lan' \
-addext 'keyUsage = digitalSignature, keyEncipherment'
If you already have a key or want to produce it separately, use can use
openssl genrsa -out key.pem 2048
openssl ecparam -genkey -name prime256v1 -out key.pem # alternative for EC key, faster and smaller
openssl x509 -new -key key.pem -out cert.pem -days 3653 -subj '/CN=test.example.lan' \
-extfile <(echo -n "subjectAltName = DNS:test.example.lan \n keyUsage = digitalSignature, keyEncipherment")
where as mentioned you can safely drop the keyUsage part.
Best,
David
On Wed, 2023-04-26 at 12:11 +0200, Jelle de Jong wrote:
Hello everybody,I am trying to generate a CSR with X509v3 from a working X509v3 cert butthe output generates a version 1 CSR without X509v3.These are the steps to reproduce:openssl req -utf8 -x509 -nodes -new -keyout key.pem -out cert.pem -days3650 -subj '/CN=test.example.lan' -extensions v3_req -addext'subjectAltName = DNS:test.example.lan'openssl x509 -x509toreq -in cert.pem -signkey key.pem -out csr.pem-extensions v3_req -extsubjectAltName,keyUsage,basicConstraints,extendedKeyUsage,certificatePoliciesopenssl req -in csr.pem -noout -verifyopenssl req -in csr.pem -out csr.req# show X509v3 Subject Alternative Name:openssl x509 -in cert.pem -text -noout# does not show X509v3 Subject Alternative Name:openssl req -in csr.req -text -nooutTried with the bollow two versions$ openssl versionOpenSSL 1.1.1n 15 Mar 2022# openssl versionOpenSSL 1.1.1k FIPS 25 Mar 2021Can someone, do I need a diffrent openssl x509 -x509toreq -extensions ...Thank you in advance,Kind regards,Jelle de Jong
