Open mickeyreg opened 6 years ago
This is documented:
-extfile filename file containing certificate extensions to use. If not specified then no extensions are added to the certificate.
I can't explain why it's done this way, though...
At best, we can see this as a feature request, to be done for the next major release (which won't be soon).
Marking as inactive, to be closed at the end of 3.4 dev, barring further input
Hi,
Maybe it is normal and intentional behavior, but in my opinion it is a little strange, so I've decided to write.
Sign certificate command:
% openssl x509 -req -in csr.pem -out cert.pem -extensions usr_cert -CA cacert.pem -CAkey cakey.pem -CAcreateserial -days 365
The section
usr_cert
is present in default config file/etc/ssl/openssl.cnf
and the result is:% openssl x509 -in cert.pem -text
Certificate:
Data:
Version: 1 (0x0)
So the v1 without extensions. I had to explicity add the config file location with the
-extfile
option:% openssl x509 -req -in csr.pem -out cert.pem -extfile /etc/ssl/openssl.cnf -extensions usr_cert -CA cacert.pem -CAkey cakey.pem -CAcreateserial -days 365
To get v3 certificate with extensions:
Certificate:
Data:
Version: 3 (0x2)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Most
openssl
options I've used does not require config file information if the standard configuration file is used but in this case the behavior is different.Regards, Mickey