10

I am signing a PDF's with self signed digitally signed certificate, and I am looking for a way to add the keyUsage(link) I had found this article, and changed my openssl.cnf accordingly.

req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:TRUE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment,dataEncipherment

I am using the next code to self sign a digital signatues:

openssl genrsa -des3 -passout pass:1234 -out aaa.private.pem -extensions v3_req

openssl req -passout pass:1234 -subj "/C=IL/ST= - /L=/O=/CN=AB" -utf8 -key aaa.private.pem -passin pass:1234 -new > aaa.cert.csr -extensions v3_req

openssl rsa -in aaa.private.pem -passin pass:1234 -out aaa.key

openssl x509 -req -days 3650 -in aaa.cert.csr -out aaa.cert -signkey aaa.key -CA myCA.ca.cert -CAkey myCA.ca.key -CAcreateserial -extensions v3_req

openssl pkcs12 -passout pass:pkcs12511260945 -export -in aaa.cert -out aaa.cert.p12 -inkey aaa.key

openssl pkcs12 -in aaa.cert.p12 -out aaa.cert.crt -password pass:1234 -nodes

While the output of the next command:

openssl req -text -noout -in aaa.cert.csr is: Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=IL, ST= - , O=45, CN=AN
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e8:0c:71:fb:b3:76:40:a4:1c:5b:45:5e:4d:b8:
...
60:ff:c4:52:4e:88:fe:82:2d:76:60:d2:68:73:d9:
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
Signature Algorithm: sha1WithRSAEncryption
79:a3:ae:48:9a:de:02:3b:31:06:c9:f8:57:b6:1c:10:e4:c2:
...
15:4d:4f:31:72:b8:9f:7a:d1:94:9b:05:8b:b9:fa:f4:7f:33:

the problem

When I am using the aaa.cert.p12 file to sign my PDF's the signature is good but acrobat reader says that "keyUsage - not specified"

I don't know what should I do...

jww
  • 97,681
  • 90
  • 411
  • 885
Wazime
  • 1,423
  • 1
  • 18
  • 26
  • 3
    It does not really make sense to create a CA certificate (basicConstraints = CA:TRUE) here. Have you tried FALSE? – mkl Jul 23 '15 at 04:24
  • 1
    Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. Also see [Where do I post questions about Dev Ops?](http://meta.stackexchange.com/q/134306). – jww Jul 23 '15 at 14:54
  • 3
    Also see [How do you sign Certificate Signing Request with your Certification Authority?](http://stackoverflow.com/a/21340898/608639) and [How to create a self-signed certificate with openssl?](http://stackoverflow.com/a/27931596/608639) They show you how to add the key usage, add the DNS names in the proper place, etc... – jww Jul 23 '15 at 14:57
  • 5
    First of all thanks about your answer. Second Openssl is a dev tool, you may use it in any system both linux unix and windows. I need it to create signature to sign PDF, and I am looking for the right syntax, this is not an IT quetion. – Wazime Jul 23 '15 at 20:06

0 Answers0