Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Openssl req command - extensions and reqexts
1,814 views
Skip to first unread message
radiatejava
Sep 17, 2013, 12:15:44 PM9/17/13
to
I have some doubts on understanding the difference between extensions
and reqexts args used in the req command. I have this openssl.cnf
file. Using this I want to generate a certificate for client (extended
key usage=clientAuth) and one for server(extended key usage =
serverAuth).
However, when I run a command like this, it does not seem to be
considering the [client_ext] section but only what is under
req_extensions. Can someone explain ?
openssl req -new -newkey rsa:1024 -keyout clientcomp.key -nodes -out
clientcomp.csr -extensions client_ext -config ./openssl.cnf
//cat openssl.cnf
[v3_ca]
basicConstraints = critical,CA:true
keyUsage = digitalSignature, cRLSign, keyCertSign
[ client_ext ]
basicConstraints = CA:false
keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
nsCertType = client
extendedKeyUsage = clientAuth
nsComment = "OpenSSL-generated client authentication certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, YOUR name)
commonName_max = 64
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
extendedKeyUsage = serverAuth
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
and reqexts args used in the req command. I have this openssl.cnf
file. Using this I want to generate a certificate for client (extended
key usage=clientAuth) and one for server(extended key usage =
serverAuth).
However, when I run a command like this, it does not seem to be
considering the [client_ext] section but only what is under
req_extensions. Can someone explain ?
openssl req -new -newkey rsa:1024 -keyout clientcomp.key -nodes -out
clientcomp.csr -extensions client_ext -config ./openssl.cnf
//cat openssl.cnf
[v3_ca]
basicConstraints = critical,CA:true
keyUsage = digitalSignature, cRLSign, keyCertSign
[ client_ext ]
basicConstraints = CA:false
keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
nsCertType = client
extendedKeyUsage = clientAuth
nsComment = "OpenSSL-generated client authentication certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, YOUR name)
commonName_max = 64
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
extendedKeyUsage = serverAuth
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Dave Thompson
Sep 17, 2013, 5:35:36 PM9/17/13
to
> From: owner-ope...@openssl.org On Behalf Of radiatejava
> Sent: Tuesday, September 17, 2013 12:16
> I have some doubts on understanding the difference between extensions
> and reqexts args used in the req command. I have this openssl.cnf
> file. Using this I want to generate a certificate for client (extended
> key usage=clientAuth) and one for server(extended key usage =
> serverAuth).
>
First note that putting extensions in the CSR doesn't necessarily
result in the CA putting them in the cert; that's up to the CA.
(If you implement the CA yourself using OpenSSL, it's up to you.
You must use 'ca' and configure correctly, not 'x509 -req'.)
> However, when I run a command like this, it does not seem to be
> considering the [client_ext] section but only what is under
> req_extensions. Can someone explain ?
>
> openssl req -new -newkey rsa:1024 -keyout clientcomp.key -nodes -out
> clientcomp.csr -extensions client_ext -config ./openssl.cnf
>
When generating a CSR, like this, 'req' uses the commandline option
-reqexts or the configuration file entry req_extensions.
When generating a *cert* with 'req -new -x509' it uses the commandline
option -extensions or the config entry x509_extensions.
> Sent: Tuesday, September 17, 2013 12:16
> I have some doubts on understanding the difference between extensions
> and reqexts args used in the req command. I have this openssl.cnf
> file. Using this I want to generate a certificate for client (extended
> key usage=clientAuth) and one for server(extended key usage =
> serverAuth).
>
result in the CA putting them in the cert; that's up to the CA.
(If you implement the CA yourself using OpenSSL, it's up to you.
You must use 'ca' and configure correctly, not 'x509 -req'.)
> However, when I run a command like this, it does not seem to be
> considering the [client_ext] section but only what is under
> req_extensions. Can someone explain ?
>
> openssl req -new -newkey rsa:1024 -keyout clientcomp.key -nodes -out
> clientcomp.csr -extensions client_ext -config ./openssl.cnf
>
-reqexts or the configuration file entry req_extensions.
When generating a *cert* with 'req -new -x509' it uses the commandline
option -extensions or the config entry x509_extensions.
0 new messages