OpenSSL sign requests with extensions
Found it! What I described is the normal expected behavor of openssl. By default, custom extensions are not copied to the certificate.
To make openssl copy the requested extensions to the certificate one has to specify copy_extensions = copy
for the signing. In vanilla installations this means that this line has to be added to the section default_CA
in openssl.cnf
.
In the openssl.cnf
that ships with (at least) Centos the line is already included as a comment and carries the warning "use with caution". Requestors can abuse this to make you issue a CA certificate, if you are not careful.
Related videos on Youtube
Bananguin
Updated on September 18, 2022Comments
-
Bananguin over 1 year
I set a small self signed CA for my dev environment. I would like to create many different server certificates with different properties. My approach is to create a specific extensions section for each server. I have one big openssl.cnf which contains sections like this:
[ server0_http ] nsCertType = server nsComment = "HTTP server0" basicConstraints=CA:FALSE extendedKeyUsage=serverAuth subjectAltName=@server0_http_altnames [ server0_http_altnames ] URI.1 = https://server.domain.tld URI.2 = http://server.domain.tld IP.1 = 1.2.3.4 DNS.1 = server.doamin.tld
Then when I create my csr using
openssl
I use the parameters-config myCustomOpenssl.cnf -reqexts server0_http
. When I look at my request usingopenssl req -text -noout -in myrequest.csr
everything looks perfect.However, after I sign the request, the "X509v3 Extended Key Usage" and "X509v3 Subject Alternative Name" sections are gone. To remedy this problem I also put
-extfile myCustomOpenssl.cnf -reqexts server0_http
with the parameters for the signing call toopenssl
.Is that the expected behaviour? I always thought the csr-file alone must be enough to create a certificate as requested, i.e. with all its sections. The way my system works right now is that I get a certificate with missing sections. To get the certificate as I want it I have to provide the csr-file and the corresponding section from the openssl config file I used to create the request. This is no problem for my small set up, but this becomes quite messy if I became a larger CA. Is it supposed to be like that or am I using openssl incorrectly?