> From: [email protected] On Behalf Of Potter, Kevin
(Produban)
> Sent: Thursday, 04 June, 2009 05:12
> When I open a certificate I have signed, in details it is showing as
version V1
> which cannot be imported into the application which generated the csr as
it requires
> version V3. The CA.crt shows as version V3 but not the signed csr
1) That sounds odd. A cert-using app might reasonably require that certain
extension(s) be used perhaps with particular value(s), which in turn
requires v3; but there's no good reason to require v3 for itself.
2) I don't believe there is any CSR v3 format. IIRC there was a
PKCS#something
extended format, but I don't think that made it back into X.509. Perhaps by
'signed CSR' you actually mean the certificate generated from the CSR.
That is signed, and contains data from the CSR, but it is not a CSR; see
below.
> I am using Win32OpenSSL Light 0.9.8k and did a default installation.
>
> I have created a CA key pair using
> openssl genrsa -des3 -out CA.key 1024
>
> I then created a CA certificate using
> openssl req -new -key CA.key -x509 -days 1095 -ou ..\ certs\CA.crt
I assume that's a typo and you actually did -out and a valid pathname.
Aside: if you wish you can combine these; req can do the keygen also.
> I then signed a certificate request using
> openssl x509 -req - days 1095 -in test.csr -CA ..\certs\CA.crt
> -CAkey ..\private\CA.key -CAcreateserial -out test.crt
Per above you don't actually sign the CSR (which is already signed).
You create a certificate from the CSR and sign the certificate.
To get to your actual question:
x509 -req sets version=2 (v3) only if you use -extfile and optionally
-extensions (even if it specifies zero extensions -- though as above
requiring v3 without actually using/requiring an extension is silly).
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
