> From: owner-openssl-us...@openssl.org On Behalf Of Andy GOKTAS > Sent: Friday, 27 August, 2010 13:00 > To: openssl-users@openssl.org > Subject: Need help with signing a csr with a openssl generated CA. > > Hello, > > We're trying to generate self signed certs and don't seem to > keep the attributes after a csr is signed by a self generated > CA via openssl (i.e.: OIDs specified in openssl.cfg drop off > the server cert after signed, thus creating a V1 cert). > Note that a cert is NOT a (re)signed CSR. People often say so, but it's wrong. The cert signed part (certInfo aka body aka TBS) is quite *similar* to the body of a CSR, but *not* the same. That matters to your case because the code must explicitly put into the cert body everything that goes there, whether from the CSR or otherwise, including extensions.
> Here is an example of the syntax I'm using: > Generate a CA Key: > openssl genrsa -out ca.key 1024 > > Generate a CA certificate with the previous key: > openssl req -new -x509 -days 3650 -key ca.key -out ca.crt > > Generate a server certificate key: > openssl genrsa -out server.key 1024 > > Generate a certificate request with applying the server key as well: > openssl req -new -out server.csr -key server.key > > Sign .csr with the CA cert & key: > openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey > ca.key -set_serial 01 -out server.crt > x509 -req doesn't copy extensions from the CSR to the cert. It appears from the source that it will *add* extensions from the config file to the generated cert *if* you explicitly specify -extfile but not by default. I have no clue why, and haven't tested. ca, which generates certs from CSRs much like x509 -req, but also records them in a (trivial) "database", and has since longer IIRC, does copy extensions by default, but can add to and/or suppress them per options in the configuration file. You should understand that the openssl commandline utilities mostly "just grew" over many years with features added and changed as the developers saw a need for them -- perhaps based on many user requests, perhaps only a few (but maybe paid), and perhaps none, it just seemed like something fun to do. Some efforts have been made from time to time to make parts of them consistent and/or complete, but there has clearly not been enough labor available to do everything. It looks like you're using the ShiningLight build, which doesn't include source (at least last I looked), but you can get it from www.openssl.org/source and change it (at least for your own use) if you want. Personally I would just use ca. <snip rest> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
