search

openssl / openssl

TLS/SSL and crypto library
https://www.openssl.org
Apache License 2.0
24.92k stars 9.93k forks source link

extesions not read from default config #6269

Open mickeyreg opened 6 years ago

mickeyreg commented 6 years ago

Hi,

Maybe it is normal and intentional behavior, but in my opinion it is a little strange, so I've decided to write.

Sign certificate command:

% openssl x509 -req -in csr.pem -out cert.pem -extensions usr_cert -CA cacert.pem -CAkey cakey.pem -CAcreateserial -days 365

The section usr_cert is present in default config file /etc/ssl/openssl.cnf and the result is:

% openssl x509 -in cert.pem -text Certificate: Data: Version: 1 (0x0)

So the v1 without extensions. I had to explicity add the config file location with the -extfile option:

% openssl x509 -req -in csr.pem -out cert.pem -extfile /etc/ssl/openssl.cnf -extensions usr_cert -CA cacert.pem -CAkey cakey.pem -CAcreateserial -days 365

To get v3 certificate with extensions:

Certificate: Data: Version: 3 (0x2) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE

Most openssl options I've used does not require config file information if the standard configuration file is used but in this case the behavior is different.

Regards, Mickey

levitte commented 6 years ago

This is documented:

       -extfile filename

           file containing certificate extensions to use. If not specified
           then no extensions are added to the certificate.

Ref: the 1.0.2 manual page

I can't explain why it's done this way, though...

At best, we can see this as a feature request, to be done for the next major release (which won't be soon).

nhorman commented 2 weeks ago

Marking as inactive, to be closed at the end of 3.4 dev, barring further input