On Fri, Feb 7, 2020 at 12:35 PM Michael Wojcik <michael.woj...@microfocus.com> wrote: > Or copied using the copy_extensions option, as noted in the discussion of > that issue. > > In the OpenSSL configuration file used by "openssl ca", in the CA section > (that is, the section named by the default_ca option, or in the section > specified by the -name parameter to the openssl ca command), add: > > copy_extensions=copy > > That will copy all extensions from the CSR that aren't overridden by the > specified extensions section. As Rich noted in the discussion of issue 10458, > and as should be obvious, this is a major security risk if you don't also > control CSR generation (i.e. if your CSRs are tainted).
I will try that. Since I deal only in cert requests generated in-house, this should be OK for us.
