OpenSSL "req -x509 -extensions" - Test Self-Signed Certificate V3 Extensions

Q

How to run OpenSSL "req -509" command to generate self-signed certificate with x.509 v3 extensions? I have x509_extensions option defined in the configuration file.

✍: FYIcenter.com

A

If you want to run OpenSSL "req -509" command to generate self-signed certificate with x.509 v3 extensions, you can follow this example:

C:\Users\fyicenter>type test.cnf
# unnamed section of generic options
default_md = md5

# default section for "req" command options
[req]
input_password  = fyicenter
x509_extensions = my_req_x509_ext

# section for "req -x509" command options
[my_req_x509_ext] 
basicConstraints       = critical, CA:true
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage               = cRLSign, keyCertSign
extendedKeyUsage       = codeSigning, timeStamping
subjectAltName         = DNS:ca.fyicenter.com, email:ca@fyicenter.com
issuerAltName          = issuer:copy

C:\Users\fyicenter>\local\openssl\openssl.exe
OpenSSL> req -x509 -in rsa_test.csr -key rsa_test.key -out test.crt 
   -config test.cnf

OpenSSL> x509 -in test.crt -text -noout
Certificate:
    ...
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                99:FB:5B:B6:BE:B4:E2:2B:4D:46:75:3F:0E:5E:52:36:F1:0E:A4:DB
            X509v3 Authority Key Identifier:
                keyid:99:FB:5B:B6:BE:B4:E2:2B:4D:46:75:3F:0E:5E:52:36:F1:0E:A4:DB
                DirName:/C=us/ST=NY/L=New York/O=Donald Inc./OU=IT/CN=www.donald.inc
                        /emailAddress=john@donald.inc
                serial:9F:9C:32:31:B4:3D:B8:56

            X509v3 Key Usage:
                Certificate Sign, CRL Sign
            X509v3 Extended Key Usage:
                Code Signing, Time Stamping
            X509v3 Subject Alternative Name:
                DNS:ca.fyicenter.com, email:ca@fyicenter.com
            X509v3 Issuer Alternative Name:
                DNS:ca.fyicenter.com, email:ca@fyicenter.com
    Signature Algorithm: md5WithRSAEncryption
         20:87:f1:2f:fa:95:38:56:8e:b3:cd:0f:08:74:bc:4a:61:06:
         01:a9:35:17:80:61:d9:91:80:23:bb:ec:9e:a5:fb:8b:e9:e9:
         0d:ab:c3:d9:0a:c7:0e:35:d7:58:00:07:ad:00:d0:4f:85:1a:
         58:ce:9a:f9:1c:75:ba:41:89:69

As you can see from the output, x.509 v3 extensions are added to the self-signed certificate correctly.

⇒ OpenSSL "req -new" - CSR Attributes

⇐ OpenSSL "req -x509 -extensions" - Specify Self-Signed Certificate V3 Extensions

⇑ OpenSSL "req" Command

⇑⇑ OpenSSL Tutorials

2016-09-23, 2288👍, 0💬

OpenSSL "req -new" - CSR Attributes
How to add attributes in new CSR using OpenSSL "req -new" command? I was asked to create a CSR with a challenge password an attribute. In order to add attributes to new CSR created by the OpenSSL "req -new" command, first you need to write attribute options in a named section in the configuration fi... 2016-09-23, 9939👍, 0💬

OpenSSL "req" - X509 V3 Extensions Configuration Options
What are X509 V3 extensions options in the configuration file for the OpenSSL "req" command? X509 V3 extensions options in the configuration file allows you to add extension properties into x.509 v3 certificate when you use OpenSSL commands to generate CSR and self-signed certificates. X509 V3 exten... 2016-10-26, 9890👍, 0💬

OpenSSL "ca" Command Options
What can I use OpenSSL "ca" command for? What are options supported by the "ca" command? OpenSSL "ca" command is a CA (Certificate Authority) tool. It can be used to sign CSR (Certificate Signing Request) in a variety of forms and generate CRLs. It also maintains a text database of issued certificat... 2016-09-18, 7983👍, 0💬

OpenSSL "req -x509 -extensions" - Specify Self-Signed Certificate V3 Extensions
How to specify x.509 v5 extensions options in the configuration file for generating self-signed certificate using the OpenSSL "req -x509" command? You can use x.509 v3 extensions options when using OpenSSL "req -x509" command to generate a self-signed certificate. The provided x509 extensions will b... 2016-10-25, 6164👍, 0💬

OpenSSL "req -new" - DN Fields for Personal Certificates
How to use additional DN fields to create CSR for personal certificates? You can set additional DN fields in the configuration file to allow OpenSSL "req -new" command to generate CSR for personal certificates. Additional DN fields are: emailAddress, name, surname, givenName, initials and dnQualifie... 2016-10-27, 5689👍, 0💬

OpenSSL "req" - Good Sample openssl.conf
Where can I get a good sample configuration file openssl.conf for OpenSSL "req" command? Below is a good sample configuration file openssl.conf for OpenSSL "req" command with explanations: C:\Users\fyicenter>type openssl.conf # Unnamed section of generic options # ... # ----------------------... 2016-09-23, 5666👍, 0💬

OpenSSL "ca" Command
Where to find tutorials on using OpenSSL "ca" command? Here is a collection of tutorials on using OpenSSL "ca" command compiled by FYIcenter.com team. OpenSSL "ca" Command Options OpenSSL "ca" - Create CSR for Testing OpenSSL "ca" - Create CA Certificate for Testing OpenSSL "ca" Error "./demoCA/newc... 2016-09-23, 4347👍, 0💬

OpenSSL "req -new -reqexts" - Test CSR V3 Extensions
How to run OpenSSL "req -new" command to generate CSR with x.509 v3 extensions? I have req_extensions option defined in the configuration file. If you want to run OpenSSL "req -new" command to generate CSR with x.509 v3 extensions, you can follow this example: C:\Users\fyicenter>type test.cnf... 2016-10-25, 2667👍, 0💬

OpenSSL "req -x509 -extensions" - Test Self-Signed Certificate V3 Extensions
How to run OpenSSL "req -509" command to generate self-signed certificate with x.509 v3 extensions? I have x509_extensions option defined in the configuration file. If you want to run OpenSSL "req -509" command to generate self-signed certificate with x.509 v3 extensions, you can follow this example... 2016-09-23, 2289👍, 0💬

All rights in the contents of this web site are reserved by the individual author. fyicenter.com does not guarantee the truthfulness, accuracy, or reliability of any contents.