On Thu, Feb 6, 2020 at 5:45 PM Viktor Dukhovni <openssl-us...@dukhovni.org> wrote:
> On Thu, Feb 06, 2020 at 02:36:03PM -0500, Michael Leone wrote: > > > Oh, I can add extensions by signing and using the -extfile option, and > > specifying a file with the specific options I want to give the > > certificate. But I don't want to have to use an addon file, I want to > > add parameters to all signed certificates. > > The documentation of x509(1) which you're using with "-req" as a > mini-CA, states explicitly: > > -extfile filename > File containing certificate extensions to use. If not specified > then no extensions are added to the certificate. > > -extensions section > The section to add certificate extensions from. If this option > is > not specified then the extensions should either be contained in > the > unnamed (default) section or the default section should contain > a > variable called "extensions" which contains the section to use. > See > the x509v3_config(5) manual page for details of the extension > section format. > > Ok. I'm not really a Linux guy, but I guess that means to do a "man 5 x509v3_config"? I'll check when I get to work. I guess I just have a section mislabeled, or I need to call a section differently? > However, you don't need to create any static .cnf files with the desired > settings. You can specify a "-extfile" on the fly via bash(1) inline > files: > > openssl x509 -extfile <(printf "..." ....) ... > > which is the approach taken in: > > https://github.com/openssl/openssl/blob/master/test/certs/mkcert.sh As I said, not really a Linux guy. More, I need to write this as a HOWTO for the others in my department, who have little (well, no) Linux experience. I can tell them what changes to make to a text file, and how to scp it to the Linux box, and then a step-by-step how to sign a cert using said file, and then scp it back to where it needs to be (we're a Windows place, with rare exceptions). I'll look into it tomorrow at work. If I have further issues, I'll be back. :-) Thanks for the help.