Hmm, actually what was the intention? Was the intention to read the extension from the certificate request, or to read the extension from the certificate template on the last step?
On Thu, Dec 12, 2019 at 7:07 AM Nikos Mavrogiannopoulos <[email protected]> wrote: > > On Wed, 2019-12-11 at 14:48 +0000, Nicolas Mora wrote: > > 10 décembre 2019 09:22 "Nikos Mavrogiannopoulos" <[email protected]> a > > écrit: > > > > > Could you minimize the commands needed to reproduce the issue you > > > are > > > describing? > > > > > Here is a minimal set of commands to reproduce the problem: > > > > # Generate the ca certificate > > echo add_extension = "1.3.6.1.4.1.45724.1.1.4 > > octet_string(0x0410CD8C395C26EDEEDE653B00797D03CA3C)" >>tmpl > > certtool --generate-privkey --outfile ca.key > > certtool --generate-self-signed --load-privkey ca.key --outfile > > ca.cert --template tmpl > > > > # generate the client key > > certtool --generate-privkey --outfile signed.key > > > > # Example 1: create a signed certificate without request > > certtool --generate-certificate --load-privkey signed.key --outfile > > signed.cert --load-ca-certificate ca.cert --load-ca-privkey ca.key -- > > template tmpl > > > > # Example 2: create a signed certificate with request > > certtool --generate-request --load-privkey signed.key --outfile > > signed-r.csr --template tmpl > > certtool --generate-certificate --load-request signed-r.csr --load- > > privkey signed.key --outfile signed-r.cert --load-ca-certificate > > ca.cert --load-ca-privkey ca.key --template tmpl > > > > On the example 1, if I create a certificate signed with the ca.cert > > file without generating the request file first, the signed > > certificate contains the extension. > > On the example 2, if I create a certificate signed with the ca.cert > > file using the request, the signed certificate doesn't contain the > > extension > > When generating a certificate from a certificate request you should > add: > honor_crq_extensions > > to the template. Otherwise they are ignored. > > regards, > Nikos > > _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
