> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
> Salz, Rich via openssl-users
> Sent: Friday, February 07, 2020 09:17
>
> I think the mismatch is that CSR extensions are not carried over; they have
> to be added at signing time.
> See https://github.com/openssl/openssl/issues/10458
Or copied using the copy_extensions option, as noted in the discussion of that
issue.
In the OpenSSL configuration file used by "openssl ca", in the CA section (that
is, the section named by the default_ca option, or in the section specified by
the -name parameter to the openssl ca command), add:
copy_extensions=copy
That will copy all extensions from the CSR that aren't overridden by the
specified extensions section. As Rich noted in the discussion of issue 10458,
and as should be obvious, this is a major security risk if you don't also
control CSR generation (i.e. if your CSRs are tainted).
See the documentation for openssl ca for more information. If you don't like
using the man command, read the OpenSSL docs online:
https://www.openssl.org/docs/man1.1.1/man1/ca.html
I'm assuming a reasonably recent version of OpenSSL.
So:
1. Make sure your threat model allows copying extensions from CSRs to
certificates.
2. Make sure your CA configuration has "copy_extensions=copy" (or possibly
copyall, though use cases justifying that are less common).
3. Make sure the CSRs you're generating have the extensions you want.
4. Generate a new CSR or revoke the certificate for one you've already issued,
and try again.
--
Michael Wojcik
