Creating an x509 v3 user certificate by signing CSR
49,666
Solution 1
You need to specify an extensions file.
For example:
openssl x509 -days 365 -in myCSR.csr -extfile v3.ext -CA myCA.crt -CAkey myCA.key -CAcreateserial -out userCertificate.crt
The extensions file (v3.ext) can look like this:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
Solution 2
The answer of gtrig works if you have -req as well. It didn't work without that for me.
So the command is:
openssl x509 -req -in myCSR.csr -extfile v3.ext -CA myCA.crt -CAkey myCA.key -CAcreateserial -out userCertificate.crt -days 365
(had to give as a new answer as I don't have enough rep. to comment).
Author by
Hex-Omega
Updated on January 30, 2021Comments
-
Hex-Omega over 3 years
I know how to sign a CSR using
openssl
, but the result certificate is an x509 v1, and not v3.I'm using the following commands:
x509 -req -days 365 -in myCSR.csr -CA myCA.crt -CAkey myCA.key -CAcreateserial -out userCertificate.crt
I've searched but have not been able to find a solution. Is there another way to do this programmatically?
-
Aleksandar almost 6 yearsThis might be a good place to say that You can specify the SAN (Subject Alternative Names) in the extension file by adding a line:
subjectAltName=DNS:hostname, IP:192.168.7.1
. You can leave out the DNS or IP part, but don't forget to remove the comma then. More info here.