P.S. I forgot to mention some parameters in the example for getting a self-signed cert form a CSR - it should have read
openssl req -x509 -key key.pem -in csr.pem -days 3653 -copy_extensions copy -out cert.pem
or equivalently
openssl x509 -req -key key.pem -in csr.pem -days 3653 -copy_extensions copy -out cert.pem
Another advantage of using the OpenSSL 3.0+ apps is that they automatically add any needed/recommended
subject key identifier (SKID) and authority key identifier (AKID) extensions (while they are not needed for self-signed end-entity certs),
without the need to use extension configuration files or CLI parameters such as -addext 'authorityKeyIdentifier = keyid:always'
subject key identifier (SKID) and authority key identifier (AKID) extensions (while they are not needed for self-signed end-entity certs),
without the need to use extension configuration files or CLI parameters such as -addext 'authorityKeyIdentifier = keyid:always'
On Wed, 2023-04-26 at 21:07 +0200, David von Oheimb wrote:
On Wed, 2023-04-26 at 17:38 +0200, Jelle de Jong wrote:I do not see the CSR back in your suggestion.Yes, because I thought you do not need it because you produce a certificate before.
And where needed, for simplicity and consistency better derive it from the certificate rather than creating it from scratch.Concerning the problem you mentioned that openssl x509 -x509toreq (by default) does not copy X509v3 extensions
(BTW, PKCS#10 version 1 does support X.509 v3 extensions), I added support for this in OpenSSL 3.0, to use as follows:openssl x509 -x509toreq -in cert.pem -signkey key.pem -copy_extensions copyEven more straightforward would be to produce first a CSR, like this:openssl req -new -key key.pem -out csr.pem -subj '/CN=test.example.lan' \-addext 'subjectAltName = DNS:test.example.lan' \-addext 'keyUsage = digitalSignature, keyEncipherment'and then derive a certificate, using the extension copy feature I added to this app as well in OpenSSL 3.0 as follows:openssl req -x509 -key key.pem -in csr.pem -copy_extensions copyYet of course both approaches do not work for you as long as you are stuck with OpenSSL 1.x.Sadly only Debian Testing is shipping openssl 3.0.8-1 and there is nobackports package and my other systems also did not ship with version 3for testing. https://packages.debian.org/bullseye/opensslI have the same issue with Debian 11 (bullseye).Yet one can easily compile any OpenSSL version 3.x also on any recent version of Debian.
There are nice tutorials how to do this, see for instance here.What I am doing is to create a working but self-signed certificate firstand then replacing it later with a certificate signed by theorganisation (which can take multiple weeks at this customer).That is why I want to generate a CSR from a working certificate that I generated.I understand.-days 3653PKCS#10 CSRs (as opposed to CRMF CSRs) do not support a validity period -
this needs to be defined and set by the certificate issuer (usually, a CA).-newkey rsa:2048Is there a way without having to use the -extfile configuration file?As I see in your below email, you meanwhile found (with the hints given before) how to do this.Kind regards,David
