OpenSSL "req -new -reqexts" - Specify CSR V3 Extensions

Q

How to specify x.509 v3 extensions options in the configuration file for generating CSR using the OpenSSL "req" command?

✍: FYIcenter.com

A

You can use x.509 v3 extensions options when using OpenSSL "req -new" command to generate a CSR (Certificate Signing Request). The provided x509 extensions will be included in the resulting CSR.

In order to user x.509 v3 extensions options for the OpenSSL "req -new" command, first you need write them in a named section in the configuration file. For example:

[my_req_ext]
basicConstraints       = critical, CA:false
subjectKeyIdentifier   = hash
keyUsage               = cRLSign, keyCertSign
extendedKeyUsage       = codeSigning, timeStamping
subjectAltName         = email:john@fyicenter.com

Then you can provided this named section [my_req_ext] to the "req -new" command in two ways:

1. Using "req_extensions" option in the [req] section - You can set "req_extensions=my_req_ext" in the [req] section of the configuration file. For example:

[req]
default_bits       = 1024
input_password     = fyicenter
req_extensions     = my_req_ext 

[my_req_ext]
...

2. Using "-reqexts" option in the "req -new" command - For example, "req -new -reqexts my_req_ext" command will take x.509 v3 extensions from the [my_req_ext] section in the configuration file.

Note that you can not use all x.509 v3 extensions when generating s CSR using the "req -new" command, because some of them can not be supported in CSR, like authorityKeyIdentifier and issuerAltName.

 

OpenSSL "req -new -reqexts" - Test CSR V3 Extensions

OpenSSL "req" - X509 V3 Extensions Configuration Options

OpenSSL "req" Command

⇑⇑ OpenSSL Tutorials

2016-10-25, 2192👍, 0💬