We're trying to generate self signed certs and don't seem to keep the
attributes after a csr is signed by a self generated CA via openssl (i.e.: OIDs
specified in openssl.cfg drop off the server cert after signed, thus creating a
V1 cert).
Here is an example of the syntax I'm using:
Generate a CA Key:
openssl genrsa -out ca.key 1024
Generate a CA certificate with the previous key:
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
Generate a server certificate key:
openssl genrsa -out server.key 1024
Generate a certificate request with applying the server key as well:
openssl req -new -out server.csr -key server.key
Sign .csr with the CA cert & key:
openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key
-set_serial 01 -out server.crt
And the openssl.cfg is adding the OIDs correctly based on running: openssl req
-text -noout -in server.csr
Here is the important part that shows the attributes are attached to the
request:
Attributes:
Requested Extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
After signing it with the self-generated CA above, the server cert shows as a
Version 1 (V1) cert and does not show the "ServerAuth" & "Client Auth" in the
server cert.
Where did they go?
Thanks!
P.S. Here are some details of what I am using:
- Windows XP Professional
- openSSL 1.0.0.a 1 Jun 2010
- editing C:\OpenSSL-Win32\bin\openssl.cfg to apply OIDs or SubjectAltNames
(will approach later).
- Will use the certs for LDAP over SSL
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
