OpenSSL "req -x509 -extensions" - Test Self-Signed Certificate V3 Extensions

Q

How to run OpenSSL "req -509" command to generate self-signed certificate with x.509 v3 extensions? I have x509_extensions option defined in the configuration file.

✍: FYIcenter.com

A

If you want to run OpenSSL "req -509" command to generate self-signed certificate with x.509 v3 extensions, you can follow this example:

C:\Users\fyicenter>type test.cnf
# unnamed section of generic options
default_md = md5

# default section for "req" command options
[req]
input_password  = fyicenter
x509_extensions = my_req_x509_ext

# section for "req -x509" command options
[my_req_x509_ext] 
basicConstraints       = critical, CA:true
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage               = cRLSign, keyCertSign
extendedKeyUsage       = codeSigning, timeStamping
subjectAltName         = DNS:ca.fyicenter.com, email:ca@fyicenter.com
issuerAltName          = issuer:copy

C:\Users\fyicenter>\local\openssl\openssl.exe
OpenSSL> req -x509 -in rsa_test.csr -key rsa_test.key -out test.crt 
   -config test.cnf

OpenSSL> x509 -in test.crt -text -noout
Certificate:
    ...
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                99:FB:5B:B6:BE:B4:E2:2B:4D:46:75:3F:0E:5E:52:36:F1:0E:A4:DB
            X509v3 Authority Key Identifier:
                keyid:99:FB:5B:B6:BE:B4:E2:2B:4D:46:75:3F:0E:5E:52:36:F1:0E:A4:DB
                DirName:/C=us/ST=NY/L=New York/O=Donald Inc./OU=IT/CN=www.donald.inc
                        /emailAddress=john@donald.inc
                serial:9F:9C:32:31:B4:3D:B8:56

            X509v3 Key Usage:
                Certificate Sign, CRL Sign
            X509v3 Extended Key Usage:
                Code Signing, Time Stamping
            X509v3 Subject Alternative Name:
                DNS:ca.fyicenter.com, email:ca@fyicenter.com
            X509v3 Issuer Alternative Name:
                DNS:ca.fyicenter.com, email:ca@fyicenter.com
    Signature Algorithm: md5WithRSAEncryption
         20:87:f1:2f:fa:95:38:56:8e:b3:cd:0f:08:74:bc:4a:61:06:
         01:a9:35:17:80:61:d9:91:80:23:bb:ec:9e:a5:fb:8b:e9:e9:
         0d:ab:c3:d9:0a:c7:0e:35:d7:58:00:07:ad:00:d0:4f:85:1a:
         58:ce:9a:f9:1c:75:ba:41:89:69   

As you can see from the output, x.509 v3 extensions are added to the self-signed certificate correctly.

 

OpenSSL "req -new" - CSR Attributes

OpenSSL "req -x509 -extensions" - Specify Self-Signed Certificate V3 Extensions

OpenSSL "req" Command

⇑⇑ OpenSSL Tutorials

2016-09-23, 784👍, 0💬