On Wed, 2019-12-11 at 14:48 +0000, Nicolas Mora wrote: > 10 décembre 2019 09:22 "Nikos Mavrogiannopoulos" <[email protected]> a > écrit: > > > Could you minimize the commands needed to reproduce the issue you > > are > > describing? > > > Here is a minimal set of commands to reproduce the problem: > > # Generate the ca certificate > echo add_extension = "1.3.6.1.4.1.45724.1.1.4 > octet_string(0x0410CD8C395C26EDEEDE653B00797D03CA3C)" >>tmpl > certtool --generate-privkey --outfile ca.key > certtool --generate-self-signed --load-privkey ca.key --outfile > ca.cert --template tmpl > > # generate the client key > certtool --generate-privkey --outfile signed.key > > # Example 1: create a signed certificate without request > certtool --generate-certificate --load-privkey signed.key --outfile > signed.cert --load-ca-certificate ca.cert --load-ca-privkey ca.key -- > template tmpl > > # Example 2: create a signed certificate with request > certtool --generate-request --load-privkey signed.key --outfile > signed-r.csr --template tmpl > certtool --generate-certificate --load-request signed-r.csr --load- > privkey signed.key --outfile signed-r.cert --load-ca-certificate > ca.cert --load-ca-privkey ca.key --template tmpl > > On the example 1, if I create a certificate signed with the ca.cert > file without generating the request file first, the signed > certificate contains the extension. > On the example 2, if I create a certificate signed with the ca.cert > file using the request, the signed certificate doesn't contain the > extension
When generating a certificate from a certificate request you should add: honor_crq_extensions to the template. Otherwise they are ignored. regards, Nikos _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
