Im using OpenSSL v1.1.1g and trying to add extensions to my self signed CA certificate using the following bat script:
rem #Create CSR
openssl req -newkey rsa:4096 -keyout ca-key.pem -out ca.csr -subj "..." -addext "keyUsage = cRLSign, digitalSignature, keyCertSign"
rem #Sign it
openssl x509 -signkey ca-key.pem -in ca.csr -req -days 365 -out ca-cert.pem -extfile extensions.cnf
pause
This is contents of extensions.cnf:
subjectAltName=DNS:localhost,IP:0.0.0.0,IP:127.0.0.1
crlDistributionPoints = URI:http://localhost:4444/crl.crl
keyUsage = cRLSign, digitalSignature, keyCertSign
basicConstraints=critical,CA:true,pathlen:0
It seems that neither -addext nor -extfile add keyusage to the cert, but crlDistributionPoints and basicConstraints work. Can someone post a solution how to add keyusage contents through similar command line commands? I do not want to edit openssl.cnf.
EDIT: Added image of CA cert CAcert
CodePudding user response:
It seems that the reason for all this whackery was my aversion of openssl.cnf. The default config was used in background and i just had to create a minimal one by myself rather than using the default.