Another trouble I found, maybe it's my conf again(?) is that I am unable to
use a section to call out to define common options for x509extensions.
Example, this does not work:
[ ca ] default_ca = Domain-CA [ Domain-CA ] ... x509_extensions =
common_options
[ common_options ] crlDistributionPoints =
URI:http://my_machine_fqdn/crl/root.crl nsComment = "Generated Certificate
for Company" subjectKeyIdentifier = hash authorityKeyIdentifier =
keyid,issuer
Please work this into an example explaining in detail what you expect to
see and what you do see and what commands you run.
Sorry the formating has gone south
So, create a config.cnf file for a CA like this (I don't include all
settings, there are many examples on the web)
[ ca ] default_ca = Domain-CA [ Domain-CA ] ... x509_extensions =
common_options
[ common_options ] crlDistributionPoints =
URI:http://my_machine_FQDN/crl/root.crl nsComment = "OpenSSL Generated
Certificate for Company" subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_ca ] basicConstraints = CA:true
Create your CA, the root certificate, its key, its CRL ...
Create a CSR to ask this CA to generate a certificate for you. In my
case I use this ROOT-CA to only generate a certificate for a
Subordinate-CA that handles all the certificates generation
# openssl ca -config config.cnf -extensions v3_ca -days 375 -notext -md sha256
-keyfile /etc/ROOT-CA/private/ca.key -in SUBORDINATE-CA.csr -out
SUBORDINATE-CA.crt
Once generated look into this new certificate, what you can see at this
point is that there is no x509 extensions in there.
# openssl x509 -in SUBORDINATE-CA.crt -text -noout
If you put the crlDistributionPoints in the [ v3_ca ] segment then it
will be part of the certificate.