OpenSSL "req -new -reqexts" - Test CSR V3 Extensions

Q

How to run OpenSSL "req -new" command to generate CSR with x.509 v3 extensions? I have req_extensions option defined in the configuration file.

✍: FYIcenter.com

A

If you want to run OpenSSL "req -new" command to generate CSR with x.509 v3 extensions, you can follow this example:

C:\Users\fyicenter>type test.cnf
# unnamed section of generic options
default_md = md5

# default section for "req" command options
[req]
default_bits       = 1024
input_password     = fyicenter
prompt             = yes
distinguished_name = my_req_dn_prompt
req_extensions     = my_req_ext 

# section for DN fields
[my_req_dn_prompt]
emailAddress         = Email
emailAddress_default = john@it.fyicenter.com

# section for x.509 v3 extension for CSR
[my_req_ext]
basicConstraints       = critical, CA:false
subjectKeyIdentifier   = hash
keyUsage               = cRLSign, keyCertSign
extendedKeyUsage       = codeSigning, timeStamping
subjectAltName         = email:john@fyicenter.com

C:\Users\fyicenter>\local\openssl\openssl.exe

OpenSSL> req -new -key rsa_test.key -out test.csr -config test.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Email [john@it.fyicenter.com]:

OpenSSL> req -in test.csr -text -noout
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: emailAddress=john@it.fyicenter.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:c2:70:cd:16:29:62:cb:5d:70:5b:5f:45:bb:34:
                    d4:fb:dd:dd:c7:e3:68:3c:2f:8b:06:0a:71:20:bd:
                    ff:94:98:e4:33:51:f7:08:a2:86:6f:fd:08:51:9b:
                    06:28:8d:48:f3:0f:23:a3:67:bf:e7:b0:9d:a7:2d:
                    f8:85:2c:9b:be:4f:44:62:71:de:e6:0e:52:9b:e0:
                    37:a5:93:54:84:3c:58:87:c7:53:bd:6a:51:70:55:
                    93:dd:58:7d:73:7e:01:1b:19:f0:36:be:bc:b4:20:
                    7c:82:e1:ff:89:b6:83:e3:7a:5a:11:e7:27:e3:bf:
                    02:5f:5a:b7:25:a0:c7:58:5f
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                53:81:07:93:7F:60:94:B2:37:2C:B8:2B:8A:2B:5C:08:BC:7A:C8:9E
            X509v3 Key Usage:
                Certificate Sign, CRL Sign
            X509v3 Extended Key Usage:
                Code Signing, Time Stamping
            X509v3 Subject Alternative Name:
                email:john@fyicenter.com
    Signature Algorithm: md5WithRSAEncryption
         89:a9:ee:b1:c1:e4:96:51:a6:f7:f8:75:63:fd:51:5b:94:ad:
         c7:e5:63:6e:58:db:4e:ef:f2:fc:87:6f:fa:2e:66:32:bb:9f:
         ba:d6:50:d7:f7:dc:44:1b:da:2f:f8:e1:4f:47:b3:75:8e:a7:
         4a:10:a1:e2:ea:e8:f7:f4:99:73:f6:0f:a6:85:b1:8c:16:44:
         05:19:f7:8c:59:c5:fc:d8:cb:a3:f5:69:45:74:a2:66:a4:d3:
         0f:d3:0d:53:40:80:42:1c:3e:87:7d:99:e4:43:e0:22:9f:11:
         5b:e4:a2:9c:29:06:e9:bb:f0:01:33:c4:8c:2e:eb:6e:fc:6e:
         f6:c1

The output of the test confirms that x.509 v3 extensions are inserted correctly in the resulting CSR.

 

OpenSSL "req -x509 -extensions" - Specify Self-Signed Certificate V3 Extensions

OpenSSL "req -new -reqexts" - Specify CSR V3 Extensions

OpenSSL "req" Command

⇑⇑ OpenSSL Tutorials

2016-10-25, 822👍, 0💬