> -----Original Message----- > From: radiatejava > > I have some doubts on how to use certificate extensions. I have this > openssl.cnf file:
[snip] > Using this I want to generate a certificate for client > (extendedkeyusage=clientAuth) and one for server(extended key usage = > serverAuth). > > However, when I run a command like this, it does not seem to be > considering the [client_ext] section but only what is under > req_extensions. Can someone explain ? > > openssl req -new -newkey rsa:1024 -keyout clientcomp.key -nodes -out > clientcomp.csr -extensions client_ext -config ./openssl.cnf The req command generates a certificate request. As such it only picks up the corresponding request settings from your config file. If you want to generate a certificate you'll have to use the x509 or ca command. Please also note that adding extensions to a certificate request usually doesn't make any sense, as those get added to the certificate solely by the certificate issuer's grace. HTH, Patrick Eisenacher
