Thanks Matt, After disabling the default config, basic constraints are omitted.
It seems a more revealing description is in “-config”: for a description of the default value, see "COMMAND SUMMARY" in openssl(1). I didn’t know “-config" has a default value and it usually points to the one shipped with openssl. Thanks for bringing my attention to it. Regards, Glen > On Jan 27, 2022, at 8:25 PM, Matt Caswell <m...@openssl.org> wrote: > > > > On 27/01/2022 06:00, Glen Huang wrote: >> Hi, >> I’m trying to create a signed certificate from a CA certificate without >> creating a CSR first. From the doc, I came up with this command: >> ``` >> openssl req -CA ca.crt -CAkey ca.key -key leaf.key -subj ‘/CN=leaf’ -out >> leaf.crt >> ``` >> However, >> ``` >> openssl x509 -in leaf.crt -text -noout >> ``` >> reports that it contains: >> ``` >> X509v3 Basic Constraints: critical >> CA:TRUE >> ``` >> Which should be incorrect, since leaf.crt has an issuer and is not a CA. >> I wonder if this is by design? Is there a way to omit the basic constraints >> extension in a leaf certificate? > > A close reading of the openssl-req man page will reveal the hint that > explains this: > > https://www.openssl.org/docs/man3.0/man1/openssl-req.html > <https://www.openssl.org/docs/man3.0/man1/openssl-req.html> > > You have used the -CA option. The man page describes this option as follows: > > Specifies the "CA" certificate to be used for signing a new certificate and > implies use of -x509. When present, this behaves like a "micro CA" as > follows: The subject name of the "CA" certificate is placed as issuer name in > the new certificate, which is then signed using the "CA" key given as > specified below. > > The "implies use of -x509" is significant here. The description of the > "-x509" option says that "X.509 extensions to be added can be specified in > the configuration file". Later the description of the configuration file > format on that man page says: > > x509_extensions > This specifies the configuration file section containing a list of extensions > to add to certificate generated when -x509 is in use. It can be overridden by > the -extensions command line switch. > > > Next if we look at the default config file, we see this: > > [ req ] > default_bits = 2048 > default_keyfile = privkey.pem > distinguished_name = req_distinguished_name > attributes = req_attributes > x509_extensions = v3_ca # The extensions to add to the self signed cert > > > The comment against "x509_extensions" is actually misleading. These are > actually the extensions to add if the "-x509" option is in use (which is > implied by -CA). Usually if you're just using "-x509" then you are creating a > self-signed cert - but not if you are using "-CA". > > So, assuming you are using the default config file settings, then the > extensions to be added are "v3_ca". This has the effect of adding the "Basic > Constraints, CA:TRUE" setting to the certificate. If you comment out that > line from the config file then it won't get added. > > Matt
