On Wed, 2023-04-26 at 17:38 +0200, Jelle de Jong wrote:
I do not see the CSR back in your suggestion.
Yes, because I thought you do not need it because you produce a certificate before.
And where needed, for simplicity and consistency better derive it from the certificate rather than creating it from scratch.
And where needed, for simplicity and consistency better derive it from the certificate rather than creating it from scratch.
Concerning the problem you mentioned that openssl x509 -x509toreq (by default) does not copy X509v3 extensions
(BTW, PKCS#10 version 1 does support X.509 v3 extensions), I added support for this in OpenSSL 3.0, to use as follows:
(BTW, PKCS#10 version 1 does support X.509 v3 extensions), I added support for this in OpenSSL 3.0, to use as follows:
openssl x509 -x509toreq -in cert.pem -signkey key.pem -copy_extensions copy
Even more straightforward would be to produce first a CSR, like this:
openssl req -new -key key.pem -out csr.pem -subj '/CN=test.example.lan' \
-addext 'subjectAltName = DNS:test.example.lan' \
-addext 'keyUsage = digitalSignature, keyEncipherment'
and then derive a certificate, using the extension copy feature I added to this app as well in OpenSSL 3.0 as follows:
openssl req -x509 -key key.pem -in csr.pem -copy_extensions copy
Yet of course both approaches do not work for you as long as you are stuck with OpenSSL 1.x.
Sadly only Debian Testing is shipping openssl 3.0.8-1 and there is nobackports package and my other systems also did not ship with version 3for testing. https://packages.debian.org/bullseye/openssl
I have the same issue with Debian 11 (bullseye).
Yet one can easily compile any OpenSSL version 3.x also on any recent version of Debian.
There are nice tutorials how to do this, see for instance here.
There are nice tutorials how to do this, see for instance here.
What I am doing is to create a working but self-signed certificate firstand then replacing it later with a certificate signed by theorganisation (which can take multiple weeks at this customer).That is why I want to generate a CSR from a working certificate that I generated.
I understand.
-days 3653
PKCS#10 CSRs (as opposed to CRMF CSRs) do not support a validity period -
this needs to be defined and set by the certificate issuer (usually, a CA).
this needs to be defined and set by the certificate issuer (usually, a CA).
-newkey rsa:2048Is there a way without having to use the -extfile configuration file?
As I see in your below email, you meanwhile found (with the hints given before) how to do this.
Kind regards,
David
On Wed, 2023-04-26 at 18:45 +0200, Jelle de Jong wrote:
On 4/26/23 12:24, Dirk-Willem van Gulik wrote:On 26 Apr 2023, at 12:11, Jelle de Jong <jelledejong@xxxxxxxxxxxxx> wrote:I am trying to generate a CSR with X509v3 from a working X509v3 cert but the output generates a version 1 CSR without X509v3.These are the steps to reproduce:openssl req -utf8 -x509 -nodes -new -keyout key.pem -out cert.pem -days 3650 -subj '/CN=test.example.lan' -extensions v3_req -addext 'subjectAltName = DNS:test.example.lan'openssl x509 -x509toreq -in cert.pem -signkey key.pem -out csr.pem -extensions v3_req -ext subjectAltName,keyUsage,basicConstraints,extendedKeyUsage,certificatePoliciesopenssl req -in csr.pem -noout -verifyopenssl req -in csr.pem -out csr.req# show X509v3 Subject Alternative Name:openssl x509 -in cert.pem -text -noout# does not show X509v3 Subject Alternative Name:openssl req -in csr.req -text -nooutTried with the bollow two versions$ openssl versionOpenSSL 1.1.1n 15 Mar 2022# openssl versionOpenSSL 1.1.1k FIPS 25 Mar 2021Can someone, do I need a diffrent openssl x509 -x509toreq -extensions …I’d expect your default openssl.cnf or something to be empty or incomplete.This should work:cat <<EOM > ext.cnfauthorityKeyIdentifier=keyid,issuerbasicConstraints=CA:FALSEkeyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEnciphermentEOMopenssl x509 -x509toreq -in cert.pem -signkey key.pem -out csr.pem -extfile ./ext.cnfopenssl req -in csr.req -text -nooutDw.% cat ext.cnfauthorityKeyIdentifier=keyid,issuerbasicConstraints=CA:FALSEkeyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment% openssl x509 -x509toreq -in cert.pem -signkey key.pem -extfile ./ext.cnf | openssl req -text -nooutCertificate Request:Data:Version: 1 (0x0)Subject: CN = test.example.lanSubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (2048 bit)Modulus:...Exponent: 65537 (0x10001)Attributes:Requested Extensions:X509v3 Authority Key Identifier: DirName:/CN=test.example.lanserial:39:87:74:CF:10:D6:65:50:B4:AF:45:3A:1D:87:98:7A:D3:B5:16:EFX509v3 Basic Constraints: CA:FALSEX509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Data EnciphermentSignature Algorithm: sha256WithRSAEncryptionSignature Value:ac:8a:5a:14:61:2f:59:21:b3:60:02:80:a5:c5:62:19:33:22:...Thank you Dirk-Willem for replying!I found a workaround for -x509toreq I tried the above and it did notgenerate the X509v3 extentions! Even after I catched the csr.pem vscsr.req mistake in the example command.If someone can get the x509toreq output the X509v3 as expected then Iwould love to see this.Sadly only Debian Testing is shipping openssl 3.0.8-1 and there is nobackports package and my other systems also did not ship with version 3for testing. https://packages.debian.org/bullseye/opensslI needed to be able to reuse the same private key so I used both yoursand David example and came up with this:openssl genrsa -out key.pem 4096openssl req -utf8 -x509 -nodes -new -key key.pem -out cert.pem -days3653 -subj '/CN=test.example.lan' -addext 'subjectAltName =DNS:test.example.lan' -addext 'keyUsage = digitalSignature, keyEncipherment'openssl req -utf8 -nodes -new -key key.pem -out csr.pem -subj'/CN=test.example.lan' -addext 'subjectAltName = DNS:test.example.lan'-addext 'keyUsage = digitalSignature, keyEncipherment'openssl req -in csr.pem -noout -verifyverify OKopenssl req -in csr.pem -text -nooutCertificate Request:Data:Version: 1 (0x0)Subject: CN = test.example.lanSubject Public Key Info:Public Key Algorithm: rsaEncryptionRSA Public-Key: (4096 bit)Modulus:...Exponent: 65537 (0x10001)Attributes:Requested Extensions:X509v3 Subject Alternative Name:DNS:test.example.lanX509v3 Key Usage:Digital Signature, Key EnciphermentSignature Algorithm: sha256WithRSAEncryption...
