I have some doubts on how to use certificate extensions. I have this openssl.cnf file:
//cat openssl.cnf [v3_ca] basicConstraints = critical,CA:true keyUsage = digitalSignature, cRLSign, keyCertSign [ client_ext ] basicConstraints = CA:false keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment nsCertType = client extendedKeyUsage = clientAuth nsComment = "OpenSSL-generated client authentication certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer:always [req] distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) 0.organizationName = Organization Name (eg, company) organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (eg, YOUR name) commonName_max = 64 [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment extendedKeyUsage = serverAuth Using this I want to generate a certificate for client (extendedkeyusage=clientAuth) and one for server(extended key usage = serverAuth). However, when I run a command like this, it does not seem to be considering the [client_ext] section but only what is under req_extensions. Can someone explain ? openssl req -new -newkey rsa:1024 -keyout clientcomp.key -nodes -out clientcomp.csr -extensions client_ext -config ./openssl.cnf ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
