>From: owner-openssl-us...@openssl.org On Behalf Of Sreekanth Sukumaran
>Sent: Monday, 11 February, 2013 07:04
>For usage on my server application,
>1. I tried to create a CA certificate using the command
>openssl req -new -x509 -days 730 -extensions v3_ca
>-keyout cacert.key -out cacert.pem
>2. Now i generate the signed certificate using:
>//Generate the request
> openssl req -new -out signedcert.req -keyout signedcert.key
>//sign the request
>openssl.exe x509 -req -days 730 -in signedcert.req -CA cacert.pem
>-CAkey cacert.key -out signedcert.crt
>i had "copy_extensions = copy" enabled in openssl.cnf
>i had a list of ip addresses in subject alternate name as extension.
>the signed certificate does not inherit/copy the extensions from
>CA certificate. CA certificate is V3 certificate, but signed
>certificate is V1 and it do not have any subject alternative names.
>I tried "copy_extensions = copyall" too in config file.
Note: all certificates are signed. The distinction you want to make
is between the (self-signed) root CA, and the "server" or client" or
"entity" or more generally "child" cert "issued" by the "parent" CA.
Child certs do not and should not "inherit" extensions from the
parent CA cert. Some child extensions may be *related to* parent
extensions, e.g. child AuthorityKeyIdentifier is often based on
parent *SubjectKeyIdentifier*, but some are entirely different.
Child certs should have extensions appropriate to the entity
the cert is for. In OpenSSL extensions in a child cert depend on
the utility you use.
openssl ca can put extensions in the child cert from a config file,
or copy them from the *CSR*, which openssl req -new can put there
from a (possibly different) config file. Did you have a default
config file for 'req -new' to use, and what relevant values were
in it -- i.e. the section named by x509_extensions in [req], NOT
the one(s) named by any CA section(s). copy_extensions in the
config file (in a CA section) applies only to 'ca'.
openssl x509 -req -CA/CAkey can put extensions in the child cert
from the config file only, and only if requested on the command
line. Any extensions in the CSR are discarded.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
