OpenSSL sign requests with extensions

openssl
5,479

Found it! What I described is the normal expected behavor of openssl. By default, custom extensions are not copied to the certificate.

To make openssl copy the requested extensions to the certificate one has to specify copy_extensions = copy for the signing. In vanilla installations this means that this line has to be added to the section default_CA in openssl.cnf.

In the openssl.cnf that ships with (at least) Centos the line is already included as a comment and carries the warning "use with caution". Requestors can abuse this to make you issue a CA certificate, if you are not careful.

Share:
5,479

Related videos on Youtube

Bananguin
Author by

Bananguin

Updated on September 18, 2022

Comments

  • Bananguin
    Bananguin over 1 year

    I set a small self signed CA for my dev environment. I would like to create many different server certificates with different properties. My approach is to create a specific extensions section for each server. I have one big openssl.cnf which contains sections like this:

    [ server0_http ]

nsCertType                      = server
nsComment                       = "HTTP server0"
basicConstraints=CA:FALSE
extendedKeyUsage=serverAuth
subjectAltName=@server0_http_altnames

[ server0_http_altnames ]
URI.1 = https://server.domain.tld
URI.2 = http://server.domain.tld
IP.1  = 1.2.3.4
DNS.1 = server.doamin.tld

    Then when I create my csr using openssl I use the parameters -config myCustomOpenssl.cnf -reqexts server0_http. When I look at my request using openssl req -text -noout -in myrequest.csr everything looks perfect.

    However, after I sign the request, the "X509v3 Extended Key Usage" and "X509v3 Subject Alternative Name" sections are gone. To remedy this problem I also put -extfile myCustomOpenssl.cnf -reqexts server0_http with the parameters for the signing call to openssl.

    Is that the expected behaviour? I always thought the csr-file alone must be enough to create a certificate as requested, i.e. with all its sections. The way my system works right now is that I get a certificate with missing sections. To get the certificate as I want it I have to provide the csr-file and the corresponding section from the openssl config file I used to create the request. This is no problem for my small set up, but this becomes quite messy if I became a larger CA. Is it supposed to be like that or am I using openssl incorrectly?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How do I use OpenSSL 1.1.1 in Ubuntu 22.04?
Cannot connect to wss with Flutter
Easy-RSA index.txt, serial and duplicates
MD5 HMAC With OpenSSL
Composer -- > error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
How do I get an ECDSA public key from just a Bitcoin signature? ... SEC1 4.1.6 key recovery for curves over (mod p)-fields
Encryption and Decryption using C++
What is --openssl-legacy-provider in NPM?
Decrypt with the public key using openssl in commandline
Apache 2.4.37 with openssl 1.1.1: cannot perform post-handshake authentication