This is the basics of OpenSSL! You would like to add extensions to a CSR or the problem arises when signing it?
You create a CSR (without extension file) and then you can check/inspect whether or not it shows the extension(s) you need/want. After that, you can sign the CSR. > Ok. I'm not really a Linux guy, but I guess that means to do a "man 5 > x509v3_config"? I believe this odd issue has nothing to do with Linux, Mac and/or Windows. > OK, so I read "man 5 x509v3_config", and it's still not clear to me how I get > my extensions added to a req. Which part is not clear? > Obviously I'm missing something basic. Can anyone point out what I am doing > wrong? Indeed you are! We use Windows, the latest OpenSSL version and only one .cnf file. No issues at all. First, you create a CSR file with the extensions you need/want. (openssl req -new -config user.cnf -key user.key -out user.csr) Then, you sign the CSR (openssl ca -notext -config user.cnf -in user.csr -passin .....) That's it. You could email me your (complete) .cnf file with all the extensions you need and I can run the above commands locally to see whether or not there is something wrong/incomplete with your .cnf file. >>> user.cnf ... ... [ req_distinguished_name ] 0.domainComponent = localhost countryName = GB stateOrProvinceName = London localityName = Westminster title = Mr description = End User Certificate commonName = testuser emailAddress = supp...@winradius.eu userId = testuser organizationalUnitName = IT Department serialNumber = 1234-2020-GB ... ... [ user_cert ] basicConstraints = critical,CA:false,pathlen:0 keyUsage = critical,keyEncipherment subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always nsCertType = client extendedKeyUsage = emailProtection crlDistributionPoints = @crl_dp authorityInfoAccess = caIssuers;URI:http://localhost/rootca.der certificatePolicies = ia5org,@policy ... ... ________________________________ From: openssl-users <openssl-users-boun...@openssl.org> on behalf of Michael Leone <tur...@mike-leone.com> Sent: Saturday, 8 February 2020 2:01 AM To: openssl-users@openssl.org <openssl-users@openssl.org> Subject: Re: Problems adding specific extensions to signed certificates On Thu, Feb 6, 2020 at 5:45 PM Viktor Dukhovni <openssl-us...@dukhovni.org> wrote: > > On Thu, Feb 06, 2020 at 02:36:03PM -0500, Michael Leone wrote: > > > Oh, I can add extensions by signing and using the -extfile option, and > > specifying a file with the specific options I want to give the > > certificate. But I don't want to have to use an addon file, I want to > > add parameters to all signed certificates. > > The documentation of x509(1) which you're using with "-req" as a > mini-CA, states explicitly: > > -extfile filename > File containing certificate extensions to use. If not specified > then no extensions are added to the certificate. > > -extensions section > The section to add certificate extensions from. If this option is > not specified then the extensions should either be contained in the > unnamed (default) section or the default section should contain a > variable called "extensions" which contains the section to use. See > the x509v3_config(5) manual page for details of the extension > section format. OK, so I read "man 5 x509v3_config", and it's still not clear to me how I get my extensions added to a req. I am following thsi example page from RedHat https://access.redhat.com/solutions/28965 So what is the secret I am missing? The way I am reading it, in the "[ req ]", section I need to add x509_extensions = usr_cert # Desired extensions section and in "[ usr_cert ]", I have added the "KeyUsage" and "ExtendedKeyUsage" values I want. which I have done, and which is not giving me what I want. Obviously I'm missing something basic. Can anyone point out what I am doing wrong? The example page shows signing using a separate extensions file, which I can do, and have done, and that gives me those extensions. But why doesn't it work without that extension file??