OpenSSL "req" - X509 V3 Extensions Configuration Options

Q

What are X509 V3 extensions options in the configuration file for the OpenSSL "req" command?

✍: FYIcenter.com

A

X509 V3 extensions options in the configuration file allows you to add extension properties into x.509 v3 certificate when you use OpenSSL commands to generate CSR and self-signed certificates.

X509 V3 extensions options in the configuration file are:

1. basicConstraints (Basic Constraints) - This specifies the extension to indicate whether this certificate is a CA certificate or not, using value of "CA:TRUE", or "CA:FALSE". A CA certificate can be used to sign other certificate. If this certificate is a CA certificate, this extension can take an extra value of "pathlen" to limit to number of levels of intermediate CA certificates below itself in a certificate path.

For example, "basicConstraints=CA:TRUE,pathlen:1" will add the Basic Constraints extension into the certificate to indicate this is a CA certificate. And it can only allow 1 intermediate CA below itself in a certificate validation path.

2. keyUsage (Key Usage) - This specifies the extension to indicate what usages is the public key in this certificate limited to. Possible key usages are: digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly and decipherOnly.

For example, "keyUsage=digitalSignature,nonRepudiation" will add the Key Usage extension into the certificate to limit it to digital signature and non-repudiation only.

3. extendedKeyUsage (Extended Key Usage) - This specifies the extension to indicate what types of applications is the public key in this certificate limited to. Possible extended key usages are: serverAuth, clientAuth, codeSigning, emailProtection, timeStamping, OCSPSigning, ipsecIKE, msCodeInd, msCodeCom, msCTLSign, and msEFS.

For example, "extendedKeyUsagekeyUsage=serverAuth,clientAuth" will add the Extended Key Usage extension into the certificate to limit it to server authentication and client authentication only.

4. subjectKeyIdentifier (Subject Key Identifier) - This specifies the extension to identify the subject in this certificate. The most common identifier is the hash value of the subject defined in "RFC3280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile".

For example, "subjectKeyIdentifier=hash" will add the Subject Key Identifier extension into the certificate with the hash value of the subject.

5. authorityKeyIdentifier (Authority Key Identifier) - This specifies the extension to identify the issuer in this certificate. Possible values are: "keyid" (Copy the Subject Key Identifier from the issuer's certificate) and "keyid,issuer" (Copy the issuer name and the serial number from the issuer's certificate, if not able get "keyid").

We can also add the "always" flag to "keyid" and/or "issuer", to make them required.

For example, "authorityKeyIdentifier=keyid,issuer:always" will add the Authority Key Identifier extension into the certificate with the Subject Key Identifier and issuer name with the serial number from the issuer's certificate. And "issuer" value is required.

6. subjectAltName (Subject Alternative Name) - This specifies the extension to provide Subject Alternative Names. This extension allows a single certificate to be used to presents multiple subject names, one as the primary subject and others as subject alternative names.

For example, Google can use a single certificate to represent multiple domain names: www.google.com as the primary subject name, and www.google.de, www.google.ca, etc. as subject alternative names.

You can use subjectAltName option to include almost anything. Here are some examples:

subjectAltName=DNSName:*.google.ca,DNSName:*.google.ch,DNSName:*.google.fr
subjectAltName=email:copy,email:my@other.com,URI:http://my.url.here/
subjectAltName=IP:192.168.7.1,IP:13::17
subjectAltName=email:my@other.address,RID:1.2.3.4
subjectAltName=otherName:1.2.3.4;UTF8:some other identifier

Note that "email:copy" is a special option which copies any emails from the subject name.

7. issuserAltName (Issuer Alternative Name) - This specifies the extension to provide Issuer Alternative Names. This extension allows the issuer to provide additional names to present the issuer. Similar to the subjectAltName, issuserAltName option can be used to include almost anything. Here are some examples:

issuserAltName=issuer:copy
issuserAltName=otherName:TheBestCA;UTF8:some other identifier

Note that "issuer:copy" is a special option which copies the sujectAltName from the issuer's certificate.

8. authorityInfoAccess (Authority Info Access) - This specifies the extension to provide information on how to contact the issuer.

For example, "authorityInfoAccess=OCSP;URI:http://ocsp.my.host/" tells you where to reach the OCSP (Online Certificate Status Protocol) server to verify the status of this certificate.

Another example, "authorityInfoAccess=caIssuers;URI:http://my.ca/ca.html" tells you where to get the issuer's certificate.

9. crlDistributionPoints (CRL distribution points) - This specifies the extension to provide information about the CRL (Certificate Revocation List) maintained by the issuer.

For example, "crlDistributionPoints=URI:http://myhost.com/myca.crl" tells you the web page where the issuer's CRL is located.

10. certificatePolicies (Certificate Policies) - This specifies the extension to provide a list of policies applied to this certificate. Most of the time, it uses the OID (Object ID) code to refer to each specific policy.

For example, "certificatePolicies=2.5.29.32.0,1.3.6.1.4.1.11129.2.5.1" specifies two policies: 2.5.29.32.0 is the OID code referring to the generic "anyPolicy", 1.3.6.1.4.1.11129.2.5.1 is the OID code referring to the Google certificate policy.

By the way, you can flag any extension as a critical extension, by prefixing the value with "critical,". For example, "basicConstraints=critical,CA:true,pathlen:1" indicates this extension is a critical extension.

 

OpenSSL "req -new -reqexts" - Specify CSR V3 Extensions

OpenSSL "req -new" - DN Fields for Personal Certificates

OpenSSL "req" Command

⇑⇑ OpenSSL Tutorials

2016-10-26, 3126👍, 0💬