On Fri, Feb 7, 2020 at 1:46 PM Michael Leone <tur...@mike-leone.com> wrote: > > On Fri, Feb 7, 2020 at 12:35 PM Michael Wojcik > <michael.woj...@microfocus.com> wrote: > > Or copied using the copy_extensions option, as noted in the discussion of > > that issue. > > > > In the OpenSSL configuration file used by "openssl ca", in the CA section > > (that is, the section named by the default_ca option, or in the section > > specified by the -name parameter to the openssl ca command), add: > > > > copy_extensions=copy > > > > That will copy all extensions from the CSR that aren't overridden by the > > specified extensions section. As Rich noted in the discussion of issue > > 10458, and as should be obvious, this is a major security risk if you don't > > also control CSR generation (i.e. if your CSRs are tainted). > > I will try that. Since I deal only in cert requests generated
Nope; didn't work for me. I get no extensions listed in the cert at all, not the ones requested by the CSR, not the ones listed in the CA. Nuthin. LOL Only if I use the -extfile parameter do I get extensions, and those may not be what the CSR is requesting. How is that this works for everyone else, and not me? :-)
