Re: Problems adding specific extensions to signed certificates

[Michael Leone]

On Fri, Feb 7, 2020 at 4:02 PM Michael Wojcik
 wrote:
>
> > From: Michael Leone [mailto:tur...@mike-leone.com]
> > Sent: Friday, February 07, 2020 13:13
> >
> > I've got it almost all figured out, except how to get a subjectAltName
> > automatically populated by the CN of the requestor. My requests aren't
> > asking for a SAN, but Chrome isn't happy without one, so I'd like to
> > at least auto-populate 1 SAN by having it be the DNS: of the
> > requesting CSR.
>
>
> Not automatically, unfortunately. openssl ca recognizes a special 
> "email:copy" token in the extension list in the configuration file, but 
> that's only for email addresses in the Subject DN.

 Here's what I did. I created a file with a section name, and a SAN name:

$ sudo more cert-extensions
[ PHA_extensions ]
subjectAltName=DNS.1:

I then call that out, when I sign:

$ sudo openssl ca -days 3650 -in requests/request.CSR.txt -out
certs/2020-02-10.pem -extensions PHA_extensions -extfile
cert-extensions -policy policy_anything

That way, I can write up step-by-step HOWTOs, for the other folks in
the department to whom using the command line is an obsolete and
dinosaur way of computing (don't ask ..), and just tell them they have
to create a simple text file with the specific alt name(s) wanted, and
copy that, along with the CSR, over to the Linux VM for signing, and
issue the above command. following the HOWTO.

Eventually, I will be creating a Windows Intermediate CA, and that way
I can just generate the certs that way, which is a lot easier, in an
almost all Windows environment, using AD. And then I can turn off the
Linux root CA, since I'll never use it again; I'll only use the
intermediate CA.

Thanks for all the help, everybody. It never occurred to me that I
wasn't issuing certs the correct way, since the way I was issuing
them, had always worked. Right up until I needed a SAN or certain
extensions ...

RE: Problems adding specific extensions to signed certificates

[Michael Wojcik]

> From: Michael Leone [mailto:tur...@mike-leone.com]
> Sent: Friday, February 07, 2020 13:13
>
> I've got it almost all figured out, except how to get a subjectAltName
> automatically populated by the CN of the requestor. My requests aren't
> asking for a SAN, but Chrome isn't happy without one, so I'd like to
> at least auto-populate 1 SAN by having it be the DNS: of the
> requesting CSR.


Not automatically, unfortunately. openssl ca recognizes a special "email:copy" 
token in the extension list in the configuration file, but that's only for 
email addresses in the Subject DN.

I generally script this sort of thing.

If you have the CN handy before you create the CSR, just add it there:

   CN=
   openssl req ... -addext "subjectAltName=DNS:$CN"

If not, you can do it at the issuing stage by extracting the CN from the CSR 
and then putting it into a SAN appended to the list of extensions for ca. 
Unfortunately ca doesn't have the -addext option (alas), but you can do it with 
a temporary file, perhaps using a bash inline file as Viktor suggested in an 
earlier message in this thread.

Currently for historical reasons the scripts I have for doing this are all for 
Windows, but it's actually easier to do it on Linux or UNIX (or on Windows 
using Cygwin or WSL or whatever). Something like this:

   CnLine=$(openssl req -in $CsrFile -noout -subject -nameopt 
sep_multiline,sname | grep " CN=")
   openssl ca ... -extfile <(cat extensions-file; echo 
subjectAltName=DNS:${CnLine# *CN=})

Though that may be a bit too clever to be easily maintainable, depending on 
who's going to maintain it. It might be more sensible to have the script build 
a temporary file with multiple, more easily understood and debugged steps. (You 
may want to watch for potential TOCTOU vulnerabilities if you use that 
approach, though it sounds like this isn't a concern for your particular use 
case.)

--
Michael Wojcik
Distinguished Engineer, Micro Focus

Re: Problems adding specific extensions to signed certificates

[Michael Leone]

On Fri, Feb 7, 2020 at 3:08 PM Michael Wojcik
 wrote:
>
> > From: Michael Leone [mailto:tur...@mike-leone.com]
> > Sent: Friday, February 07, 2020 11:55
> >
> > How is that this works for everyone else, and not me? :-)
>
> It doesn't.
>
> I just reviewed this whole note stream, and realized you're using "openssl 
> req" to create the certificate, rather than "openssl ca", according to your 
> first note.
>
> openssl req doesn't respect copy_extensions, because it doesn't use a 
> CA-section in the configuration file.
>
> To accomplish what you want, you'll have to use openssl ca. There are a 
> number of walkthroughs online for setting that up.

Yep, I've been communicating offlist with another member, and he's
finally set me straight. Now I am using "openssl ca", and it is give
me the extensions the CSR is asking for.

I've got it almost all figured out, except how to get a subjectAltName
automatically populated by the CN of the requestor. My requests aren't
asking for a SAN, but Chrome isn't happy without one, so I'd like to
at least auto-populate 1 SAN by having it be the DNS: of the
requesting CSR.

Is that doable?

RE: Problems adding specific extensions to signed certificates

[Michael Wojcik]

> From: Michael Leone [mailto:tur...@mike-leone.com]
> Sent: Friday, February 07, 2020 11:55
>
> How is that this works for everyone else, and not me? :-)

It doesn't.

I just reviewed this whole note stream, and realized you're using "openssl req" 
to create the certificate, rather than "openssl ca", according to your first 
note.

openssl req doesn't respect copy_extensions, because it doesn't use a 
CA-section in the configuration file.

To accomplish what you want, you'll have to use openssl ca. There are a number 
of walkthroughs online for setting that up.

--
Michael Wojcik
Distinguished Engineer, Micro Focus

Re: Problems adding specific extensions to signed certificates

[Michael Leone]

On Fri, Feb 7, 2020 at 1:46 PM Michael Leone  wrote:
>
> On Fri, Feb 7, 2020 at 12:35 PM Michael Wojcik
>  wrote:
> > Or copied using the copy_extensions option, as noted in the discussion of 
> > that issue.
> >
> > In the OpenSSL configuration file used by "openssl ca", in the CA section 
> > (that is, the section named by the default_ca option, or in the section 
> > specified by the -name parameter to the openssl ca command), add:
> >
> > copy_extensions=copy
> >
> > That will copy all extensions from the CSR that aren't overridden by the 
> > specified extensions section. As Rich noted in the discussion of issue 
> > 10458, and as should be obvious, this is a major security risk if you don't 
> > also control CSR generation (i.e. if your CSRs are tainted).
>
> I will try that. Since I deal only in cert requests generated

Nope; didn't work for me. I get no extensions listed in the cert at
all, not the ones requested by the CSR, not the ones listed in the CA.
Nuthin. LOL

Only if I use the -extfile parameter do I get extensions, and those
may not be what the CSR is requesting.

How is that this works for everyone else, and not me? :-)

Re: Problems adding specific extensions to signed certificates

[Michael Leone]

On Fri, Feb 7, 2020 at 12:35 PM Michael Wojcik
 wrote:
> Or copied using the copy_extensions option, as noted in the discussion of 
> that issue.
>
> In the OpenSSL configuration file used by "openssl ca", in the CA section 
> (that is, the section named by the default_ca option, or in the section 
> specified by the -name parameter to the openssl ca command), add:
>
> copy_extensions=copy
>
> That will copy all extensions from the CSR that aren't overridden by the 
> specified extensions section. As Rich noted in the discussion of issue 10458, 
> and as should be obvious, this is a major security risk if you don't also 
> control CSR generation (i.e. if your CSRs are tainted).

I will try that. Since I deal only in cert requests generated
in-house, this should be OK for us.

RE: Problems adding specific extensions to signed certificates

[Michael Wojcik]

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
> Salz, Rich via openssl-users
> Sent: Friday, February 07, 2020 09:17
>
> I think the mismatch is that CSR extensions are not carried over; they have
> to be added at signing time.
> See https://github.com/openssl/openssl/issues/10458

Or copied using the copy_extensions option, as noted in the discussion of that 
issue.

In the OpenSSL configuration file used by "openssl ca", in the CA section (that 
is, the section named by the default_ca option, or in the section specified by 
the -name parameter to the openssl ca command), add:

copy_extensions=copy

That will copy all extensions from the CSR that aren't overridden by the 
specified extensions section. As Rich noted in the discussion of issue 10458, 
and as should be obvious, this is a major security risk if you don't also 
control CSR generation (i.e. if your CSRs are tainted).

See the documentation for openssl ca for more information. If you don't like 
using the man command, read the OpenSSL docs online:

https://www.openssl.org/docs/man1.1.1/man1/ca.html

I'm assuming a reasonably recent version of OpenSSL.

So:
1. Make sure your threat model allows copying extensions from CSRs to 
certificates.
2. Make sure your CA configuration has "copy_extensions=copy" (or possibly 
copyall, though use cases justifying that are less common).
3. Make sure the CSRs you're generating have the extensions you want.
4. Generate a new CSR or revoke the certificate for one you've already issued, 
and try again.

--
Michael Wojcik

Re: Problems adding specific extensions to signed certificates

[Salz, Rich via openssl-users]

I think the mismatch is that CSR extensions are not carried over; they have to 
be added at signing time.
See https://github.com/openssl/openssl/issues/10458

Re: Problems adding specific extensions to signed certificates

[Michael Leone]

On Fri, Feb 7, 2020 at 11:02 AM Sergio NNX  wrote:
>
> This is the basics of OpenSSL!
>
> You would like to add extensions to a CSR or the problem arises when signing 
> it?

Yes, when I sign, I get no extensions that are requested in the CSR.
Nor are any added, when I sign (requested or not).

> > OK, so I read "man 5 x509v3_config", and it's still not clear to me how I 
> > get my extensions added to a req.
> Which part is not clear?

Pretty much all of it :-), because I tried doing it the way the man
page showed, and nothing worked for me.
I want the signed cert to have the requested extensions. And also a
SAN, since Chrome isn't happy unless it finds a SAN.
And sometimes more extensions than requested, if need be.

> First, you create a CSR file with the extensions you need/want.
> (openssl req -new -config user.cnf -key user.key -out user.csr)

No, our CSRs are created by the machine that will use it. (IIS server,
AD DC, Linux phone system, etc). I never create a req, I just sign
incoming ones.

> That's it.

I can sign just fine. What I can't get it is a cert the way I need it
to be ... (well, I can, if I add in a -extfile containing all the
extensions, requested or not).

I can send you the openssl.cnf off list.

Re: Problems adding specific extensions to signed certificates

[Michael Leone]

On Fri, Feb 7, 2020 at 10:30 AM Michael Richardson  wrote:
>
>
> Michael Leone  wrote:
> > On Fri, Feb 7, 2020 at 8:54 AM Michael Leone  
> wrote:
> >> Thanks, tho, I did learn a thing or two. I see from this example
> >>
> >> openssl req -config $cfgdir/openssl-root.cnf $passin \
> >> -set_serial 0x$(openssl rand -hex $sn)\
> >> -keyform $format -outform $format\
> >> -key $rootca/private/ca.key.$format -subj "$DN"\
> >> -new -x509 -days 7300 -sha256 -extensions v3_ca\
> >> -out $cadir/certs/ca.cert.$format
> >>
> >>
> >> That maybe I can pass the explicit section that has the extensions
> >> that I want, from the command line. I will try that. In my case, the
> >> "[ usr_cert ]" or perhaps "[ server_cert ]".
>
> > Nope, no key extensions in the generated cert, even when passing
> > "-extensions user_cert" on the CLI.
>
> > I'll keep plugging away, I guess.
>
> What's in the [user_cert] stanza?

This: (the "user" is a typo; the entry reads "usr", and that is what I
used in the CLI invocation.

# Extensions for client certificates (`man x509v3_config`).
[ usr_cert ]
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "PHA Internally generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage=digitalSignature,keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectKeyIdentifier=hash
subjectAltName = @alt_names

I did get it to work, on the signing command by doing this:

sudo openssl x509 -req -days 3650 -in requests/ -CA
certs/ -CAkey private/ -extensions PHA_extensions -extfile
cert-extensions

with the file "cert-extensions":

[ PHA_extensions ]
basicConstraints = critical,CA:FALSE
keyUsage=digitalSignature,keyEncipherment,dataEncipherment,nonRepudiation
extendedKeyUsage=serverAuth,clientAuth
subjectKeyIdentifier=hash
subjectAltName=DNS.1:

I couldn't get any extensions - none, or SAN, into the cert any other
way. Nor did the cert have the CSR requested extensions, until I added
them in that file. This is in the CSR:

   Requested Extensions:
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment,
Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication

(I am using a IIS server to make the requests, as the vast majority of
certs that I will sign will come either from IIS, or a Windows server)

-- 

Mike. Leone, 

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: 

This space reserved for future witticisms ...

Re: Problems adding specific extensions to signed certificates

[Sergio NNX]

This is the basics of OpenSSL!

You would like to add extensions to a CSR or the problem arises when signing it?

You create a CSR (without extension file) and then you can check/inspect 
whether or not it shows the extension(s) you need/want. After that, you can 
sign the CSR.



> Ok. I'm not really a Linux guy, but I guess that means to do a "man 5 
> x509v3_config"?
I believe this odd issue has nothing to do with Linux, Mac and/or Windows.

> OK, so I read "man 5 x509v3_config", and it's still not clear to me how I get 
> my extensions added to a req.
Which part is not clear?


> Obviously I'm missing something basic. Can anyone point out what I am doing 
> wrong?
Indeed you are!

We use Windows, the latest OpenSSL version and only one .cnf file. No issues at 
all.

First, you create a CSR file with the extensions you need/want.
(openssl req -new -config user.cnf -key user.key -out user.csr)

Then, you sign the CSR
(openssl ca -notext -config user.cnf -in user.csr -passin .)

That's it.

You could email me your (complete) .cnf file with all the extensions you need 
and I can run the above commands locally to see whether or not there is 
something wrong/incomplete with your .cnf file.


>>> user.cnf

...
...
[ req_distinguished_name ]
0.domainComponent = localhost
countryName = GB
stateOrProvinceName = London
localityName = Westminster
title = Mr
description = End User Certificate
commonName = testuser
emailAddress = supp...@winradius.eu
userId = testuser
organizationalUnitName = IT Department
serialNumber = 1234-2020-GB

...
...

[ user_cert ]
basicConstraints = critical,CA:false,pathlen:0
keyUsage = critical,keyEncipherment
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
nsCertType = client
extendedKeyUsage = emailProtection
crlDistributionPoints = @crl_dp
authorityInfoAccess = caIssuers;URI:http://localhost/rootca.der
certificatePolicies = ia5org,@policy
...
...


From: openssl-users  on behalf of Michael 
Leone 
Sent: Saturday, 8 February 2020 2:01 AM
To: openssl-users@openssl.org 
Subject: Re: Problems adding specific extensions to signed certificates

On Thu, Feb 6, 2020 at 5:45 PM Viktor Dukhovni
 wrote:
>
> On Thu, Feb 06, 2020 at 02:36:03PM -0500, Michael Leone wrote:
>
> > Oh, I can add extensions by signing and using the -extfile option, and
> > specifying a file with the specific options I want to give the
> > certificate. But I don't want to have to use an addon file, I want to
> > add parameters to all signed certificates.
>
> The documentation of x509(1) which you're using with "-req" as a
> mini-CA, states explicitly:
>
>-extfile filename
>File containing certificate extensions to use. If not specified
>then no extensions are added to the certificate.
>
>-extensions section
>The section to add certificate extensions from. If this option is
>not specified then the extensions should either be contained in the
>unnamed (default) section or the default section should contain a
>variable called "extensions" which contains the section to use. See
>the x509v3_config(5) manual page for details of the extension
>section format.

OK, so I read "man 5 x509v3_config", and it's still not clear to me
how I get my extensions added to a req.
I am following thsi example page from RedHat

 https://access.redhat.com/solutions/28965

So what is the secret I am missing? The way I am reading it, in the "[
req ]", section I need to add

x509_extensions  = usr_cert # Desired extensions section

and in "[ usr_cert ]", I have added the "KeyUsage" and
"ExtendedKeyUsage" values I want.

which I have done, and which is not giving me what I want.

Obviously I'm missing something basic. Can anyone point out what I am
doing wrong?

The example page shows signing using a separate extensions file, which
I can do, and have done, and that gives me those extensions. But why
doesn't it work without that extension file??

Re: Problems adding specific extensions to signed certificates

[Michael Leone]

On Thu, Feb 6, 2020 at 5:45 PM Viktor Dukhovni
 wrote:
>
> On Thu, Feb 06, 2020 at 02:36:03PM -0500, Michael Leone wrote:
>
> > Oh, I can add extensions by signing and using the -extfile option, and
> > specifying a file with the specific options I want to give the
> > certificate. But I don't want to have to use an addon file, I want to
> > add parameters to all signed certificates.
>
> The documentation of x509(1) which you're using with "-req" as a
> mini-CA, states explicitly:
>
>-extfile filename
>File containing certificate extensions to use. If not specified
>then no extensions are added to the certificate.
>
>-extensions section
>The section to add certificate extensions from. If this option is
>not specified then the extensions should either be contained in the
>unnamed (default) section or the default section should contain a
>variable called "extensions" which contains the section to use. See
>the x509v3_config(5) manual page for details of the extension
>section format.

OK, so I read "man 5 x509v3_config", and it's still not clear to me
how I get my extensions added to a req.
I am following thsi example page from RedHat

 https://access.redhat.com/solutions/28965

So what is the secret I am missing? The way I am reading it, in the "[
req ]", section I need to add

x509_extensions  = usr_cert # Desired extensions section

and in "[ usr_cert ]", I have added the "KeyUsage" and
"ExtendedKeyUsage" values I want.

which I have done, and which is not giving me what I want.

Obviously I'm missing something basic. Can anyone point out what I am
doing wrong?

The example page shows signing using a separate extensions file, which
I can do, and have done, and that gives me those extensions. But why
doesn't it work without that extension file??

Re: Problems adding specific extensions to signed certificates

[Michael Leone]

On Fri, Feb 7, 2020 at 8:54 AM Michael Leone  wrote:
> Thanks, tho, I did learn a thing or two. I see from this example
>
> openssl req -config $cfgdir/openssl-root.cnf $passin \
>  -set_serial 0x$(openssl rand -hex $sn)\
>  -keyform $format -outform $format\
>  -key $rootca/private/ca.key.$format -subj "$DN"\
>  -new -x509 -days 7300 -sha256 -extensions v3_ca\
>  -out $cadir/certs/ca.cert.$format
>
>
> That maybe I can pass the explicit section that has the extensions
> that I want, from the command line. I will try that. In my case, the
> "[ usr_cert ]" or perhaps "[ server_cert ]".

Nope, no key extensions in the generated cert, even when passing
"-extensions user_cert" on the CLI.

I'll keep plugging away, I guess.

Re: Problems adding specific extensions to signed certificates

[Michael Leone]

On Thu, Feb 6, 2020 at 5:45 PM Viktor Dukhovni 
wrote:

> On Thu, Feb 06, 2020 at 02:36:03PM -0500, Michael Leone wrote:
>
> > Oh, I can add extensions by signing and using the -extfile option, and
> > specifying a file with the specific options I want to give the
> > certificate. But I don't want to have to use an addon file, I want to
> > add parameters to all signed certificates.
>
> The documentation of x509(1) which you're using with "-req" as a
> mini-CA, states explicitly:
>
>-extfile filename
>File containing certificate extensions to use. If not specified
>then no extensions are added to the certificate.
>
>-extensions section
>The section to add certificate extensions from. If this option
> is
>not specified then the extensions should either be contained in
> the
>unnamed (default) section or the default section should contain
> a
>variable called "extensions" which contains the section to use.
> See
>the x509v3_config(5) manual page for details of the extension
>section format.
>
>
Ok. I'm not really a Linux guy, but I guess that means to do a "man 5
x509v3_config"?

I'll check when I get to work. I guess I just have a section mislabeled, or
I need to call a section differently?



> However, you don't need to create any static .cnf files with the desired
> settings.  You can specify a "-extfile" on the fly via bash(1) inline
> files:
>
> openssl x509 -extfile <(printf "..." ) ...
>
> which is the approach taken in:
>
> https://github.com/openssl/openssl/blob/master/test/certs/mkcert.sh



As I said, not really a Linux guy. More, I need to write this as a HOWTO
for the others in my department, who have little (well, no) Linux
experience. I can tell them what changes to make to a text file, and how to
scp it to the Linux box, and then a step-by-step how to sign a cert using
said file, and then scp it back to where it needs to be (we're a Windows
place, with rare exceptions).

I'll look into it tomorrow at work. If I have further issues, I'll be back.
:-)

Thanks for the help.

Re: Problems adding specific extensions to signed certificates

[Viktor Dukhovni]

On Thu, Feb 06, 2020 at 02:36:03PM -0500, Michael Leone wrote:

> Oh, I can add extensions by signing and using the -extfile option, and
> specifying a file with the specific options I want to give the
> certificate. But I don't want to have to use an addon file, I want to
> add parameters to all signed certificates.

The documentation of x509(1) which you're using with "-req" as a
mini-CA, states explicitly:

   -extfile filename
   File containing certificate extensions to use. If not specified
   then no extensions are added to the certificate.

   -extensions section
   The section to add certificate extensions from. If this option is
   not specified then the extensions should either be contained in the
   unnamed (default) section or the default section should contain a
   variable called "extensions" which contains the section to use. See
   the x509v3_config(5) manual page for details of the extension
   section format.

> What part am I missing, or not understanding? I've got something basic
> wrong here, I just can't figure out what.

See above.

> Signing command:
> 
> sudo openssl x509 -req -days 3650 -in requests/ \
>   -CA certs/ \
>   -CAkey private/ \
>   -CAserial serial -out certs/
> 
> Doing that, I get no extensions.

As documented.

> Adding " -extfile cert-extensions", and putting the above extensions
> in that file, then I *do* get them.

As documented.

> I can post the whole openssl.cnf, if need be.

However, you don't need to create any static .cnf files with the desired
settings.  You can specify a "-extfile" on the fly via bash(1) inline
files:

openssl x509 -extfile <(printf "..." ) ...

which is the approach taken in:

https://github.com/openssl/openssl/blob/master/test/certs/mkcert.sh

-- 
Viktor.

Problems adding specific extensions to signed certificates

[Michael Leone]

This is driving me crazy. I have a CA, running on Debian 9, running
openssl 1.1.0. (this CA is for our organization internal use only, of
course). I can successfully sign requests. However, what I can't seem
to do, is add x509 extensions to the signed certificate, as part of
the openssl.cnf.

Oh, I can add extensions by signing and using the -extfile option, and
specifying a file with the specific options I want to give the
certificate. But I don't want to have to use an addon file, I want to
add parameters to all signed certificates.

keyUsage=digitalSignature,keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectKeyIdentifier=hash

(since all requests come from our own servers, I know that I want to
be sure that the requesting cert gets these, regardless of what else
the request asks for)

But I'm having a heck of a time accomplishing this, probably due to my
own lack of understanding. I thought that, in the "[ req ]" section of
my openssl.cnf, if I have this:


# This is the default certificate request settings
#
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
#x509_extensions = v3_ca # The extensions to add to the self signed cert
req_extensions = v3_req
x509_extensions = usr_cert

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "PHA Internally generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
#keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
#extendedKeyUsage = clientAuth, emailProtection
#
# PHA Added
#
keyUsage=digitalSignature,keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectKeyIdentifier=hash

Then I would get the extensions that I want, since they are in the "[
usr_cert ]" section, which is what is called for the x509_extensions
when signing a request.

But that turns out not to be the case.

What part am I missing, or not understanding? I've got something basic
wrong here, I just can't figure out what.

Signing command:

sudo openssl x509 -req -days 3650 -in requests/ -CA
certs/ -CAkey private/ -CAserial
serial  -out certs/

Doing that, I get no extensions.
Adding " -extfile cert-extensions", and putting the above extensions
in that file, then I *do* get them.

I can post the whole openssl.cnf, if need be.

Thanks for any help.

-- 

Mike. Leone, 

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: 

This space reserved for future witticisms ...