Re: Problems adding specific extensions to signed certificates

On Fri, Feb 7, 2020 at 4:02 PM Michael Wojcik wrote: > > > From: Michael Leone [mailto:tur...@mike-leone.com] > > Sent: Friday, February 07, 2020 13:13 > > > > I've got it almost all figured out, except how to get a subjectAltName > > automatically populated by the CN of the requestor. My requests

RE: Problems adding specific extensions to signed certificates

> From: Michael Leone [mailto:tur...@mike-leone.com] > Sent: Friday, February 07, 2020 13:13 > > I've got it almost all figured out, except how to get a subjectAltName > automatically populated by the CN of the requestor. My requests aren't > asking for a SAN, but Chrome isn't happy without one, so

Re: Problems adding specific extensions to signed certificates

On Fri, Feb 7, 2020 at 3:08 PM Michael Wojcik wrote: > > > From: Michael Leone [mailto:tur...@mike-leone.com] > > Sent: Friday, February 07, 2020 11:55 > > > > How is that this works for everyone else, and not me? :-) > > It doesn't. > > I just reviewed this whole note stream, and realized you're

RE: Problems adding specific extensions to signed certificates

> From: Michael Leone [mailto:tur...@mike-leone.com] > Sent: Friday, February 07, 2020 11:55 > > How is that this works for everyone else, and not me? :-) It doesn't. I just reviewed this whole note stream, and realized you're using "openssl req" to create the certificate, rather than "openssl c

Re: Problems adding specific extensions to signed certificates

On Fri, Feb 7, 2020 at 1:46 PM Michael Leone wrote: > > On Fri, Feb 7, 2020 at 12:35 PM Michael Wojcik > wrote: > > Or copied using the copy_extensions option, as noted in the discussion of > > that issue. > > > > In the OpenSSL configuration file used by "openssl ca", in the CA section > > (th

Re: Problems adding specific extensions to signed certificates

On Fri, Feb 7, 2020 at 12:35 PM Michael Wojcik wrote: > Or copied using the copy_extensions option, as noted in the discussion of > that issue. > > In the OpenSSL configuration file used by "openssl ca", in the CA section > (that is, the section named by the default_ca option, or in the section

RE: Problems adding specific extensions to signed certificates

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Salz, Rich via openssl-users > Sent: Friday, February 07, 2020 09:17 > > I think the mismatch is that CSR extensions are not carried over; they have > to be added at signing time. > See https://github.com/openssl/openss

Re: Problems adding specific extensions to signed certificates

I think the mismatch is that CSR extensions are not carried over; they have to be added at signing time. See https://github.com/openssl/openssl/issues/10458

Re: Problems adding specific extensions to signed certificates

On Fri, Feb 7, 2020 at 11:02 AM Sergio NNX wrote: > > This is the basics of OpenSSL! > > You would like to add extensions to a CSR or the problem arises when signing > it? Yes, when I sign, I get no extensions that are requested in the CSR. Nor are any added, when I sign (requested or not). > >

Re: Problems adding specific extensions to signed certificates

On Fri, Feb 7, 2020 at 10:30 AM Michael Richardson wrote: > > > Michael Leone wrote: > > On Fri, Feb 7, 2020 at 8:54 AM Michael Leone > wrote: > >> Thanks, tho, I did learn a thing or two. I see from this example > >> > >> openssl req -config $cfgdir/openssl-root.cnf $passin \ >

Re: Problems adding specific extensions to signed certificates

From: openssl-users on behalf of Michael Leone Sent: Saturday, 8 February 2020 2:01 AM To: openssl-users@openssl.org Subject: Re: Problems adding specific extensions to signed certificates On Thu, Feb 6, 2020 at 5:45 PM Viktor Dukhovni wrote: > > On Thu, F

Re: Problems adding specific extensions to signed certificates

On Thu, Feb 6, 2020 at 5:45 PM Viktor Dukhovni wrote: > > On Thu, Feb 06, 2020 at 02:36:03PM -0500, Michael Leone wrote: > > > Oh, I can add extensions by signing and using the -extfile option, and > > specifying a file with the specific options I want to give the > > certificate. But I don't want

Re: Problems adding specific extensions to signed certificates

On Fri, Feb 7, 2020 at 8:54 AM Michael Leone wrote: > Thanks, tho, I did learn a thing or two. I see from this example > > openssl req -config $cfgdir/openssl-root.cnf $passin \ > -set_serial 0x$(openssl rand -hex $sn)\ > -keyform $format -outform $format\ > -key $rootca/private/ca.

Re: Problems adding specific extensions to signed certificates

On Thu, Feb 6, 2020 at 5:45 PM Viktor Dukhovni wrote: > On Thu, Feb 06, 2020 at 02:36:03PM -0500, Michael Leone wrote: > > > Oh, I can add extensions by signing and using the -extfile option, and > > specifying a file with the specific options I want to give the > > certificate. But I don't want

Re: Problems adding specific extensions to signed certificates

On Thu, Feb 06, 2020 at 02:36:03PM -0500, Michael Leone wrote: > Oh, I can add extensions by signing and using the -extfile option, and > specifying a file with the specific options I want to give the > certificate. But I don't want to have to use an addon file, I want to > add parameters to all s

Problems adding specific extensions to signed certificates

This is driving me crazy. I have a CA, running on Debian 9, running openssl 1.1.0. (this CA is for our organization internal use only, of course). I can successfully sign requests. However, what I can't seem to do, is add x509 extensions to the signed certificate, as part of the openssl.cnf. Oh, I