> From: owner-openssl-us...@openssl.org On Behalf Of radiatejava > Sent: Tuesday, September 17, 2013 12:16
> I have some doubts on understanding the difference between extensions > and reqexts args used in the req command. I have this openssl.cnf > file. Using this I want to generate a certificate for client (extended > key usage=clientAuth) and one for server(extended key usage = > serverAuth). > First note that putting extensions in the CSR doesn't necessarily result in the CA putting them in the cert; that's up to the CA. (If you implement the CA yourself using OpenSSL, it's up to you. You must use 'ca' and configure correctly, not 'x509 -req'.) > However, when I run a command like this, it does not seem to be > considering the [client_ext] section but only what is under > req_extensions. Can someone explain ? > > openssl req -new -newkey rsa:1024 -keyout clientcomp.key -nodes -out > clientcomp.csr -extensions client_ext -config ./openssl.cnf > When generating a CSR, like this, 'req' uses the commandline option -reqexts or the configuration file entry req_extensions. When generating a *cert* with 'req -new -x509' it uses the commandline option -extensions or the config entry x509_extensions. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
