2

I have following CSR:

Certificate Request:
Data:
    Version: 0 (0x0)
    Subject: C=US, CN=www.example.com
    Subject Public Key Info:
        Public Key Algorithm: id-ecPublicKey
            Public-Key: (256 bit)
            pub: 
                04:e5:1d:a3:b2:47:1b:7c:05:f3:f3:36:b6:b2:0f:
                79:27:0f:80:4c:39:1b:8c:6c:38:eb:43:f3:b4:33:
                f4:7a:c5:de:2c:f7:28:69:e5:d1:88:6b:41:6c:5f:
                b6:55:b5:2a:29:69:a4:da:fa:17:ac:6a:a0:5f:30:
                9d:07:55:4f:52
            ASN1 OID: prime256v1
            NIST CURVE: P-256
    Attributes:
    Requested Extensions:
        X509v3 Key Usage: critical
            Digital Signature, Key Encipherment
        X509v3 Extended Key Usage: 
            Code Signing
        X509v3 Basic Constraints: critical
            CA:FALSE
Signature Algorithm: ecdsa-with-SHA256
     30:45:02:21:00:b4:d8:73:e3:c0:2c:38:7d:44:c6:ed:c2:30:
     fb:0d:ca:99:74:fb:b9:2e:7e:72:d0:1a:6f:b5:89:8c:c2:e9:
     bd:02:20:45:91:99:3a:71:6c:f0:72:48:2f:c7:4c:93:d3:89:
     69:40:d1:b6:72:0f:e4:a9:2f:a8:cc:a5:3b:00:27:85:6d

But when I attempt to process the CSR:

openssl x509 -req -SHA256 -in [file].csr -CA ca.crt -CAkey ca.key -out [file].crt

I get the following certificate:

Certificate:
Data:
    Version: 1 (0x0)
    Serial Number:
        d8:2d:19:4b:d4:32:dc:0a
Signature Algorithm: ecdsa-with-SHA256
    Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
    Validity
        Not Before: Apr 29 00:31:04 2017 GMT
        Not After : May 29 00:31:04 2017 GMT
    Subject: C=US, CN=www.example.com
    Subject Public Key Info:
        Public Key Algorithm: id-ecPublicKey
            Public-Key: (256 bit)
            pub: 
                04:e5:1d:a3:b2:47:1b:7c:05:f3:f3:36:b6:b2:0f:
                79:27:0f:80:4c:39:1b:8c:6c:38:eb:43:f3:b4:33:
                f4:7a:c5:de:2c:f7:28:69:e5:d1:88:6b:41:6c:5f:
                b6:55:b5:2a:29:69:a4:da:fa:17:ac:6a:a0:5f:30:
                9d:07:55:4f:52
            ASN1 OID: prime256v1
            NIST CURVE: P-256
Signature Algorithm: ecdsa-with-SHA256
     30:45:02:21:00:97:a5:09:15:0b:fb:29:df:7b:59:8f:95:01:
     cd:81:04:a5:36:c2:c4:5d:fa:6f:f1:2f:72:c2:eb:7c:d1:92:
     2e:02:20:69:00:07:50:87:e5:a2:e9:a3:bf:a6:52:9c:80:df:
     b4:69:34:3f:e0:a9:09:75:f8:03:ce:46:1a:43:cf:a2:a9

So what the heck happened to the requested extensions that were in the CSR? What am I doing wrong?

tx! :-)

p.s. stack exchanged didn't like this post because it said it was too much code and not enough text, so please ignore the rest of this because if is just filler text ...

lewiada
  • 1,397
  • 2
  • 10
  • 15
  • 2
    OpenSSL **`x509 -req` ignores extensions in the CSR**. You can either use `ca` which can copy extensions to the cert if configured, or you can specify the extensions in the `x509 -req` command _not_ the CSR. This is really a tool-use issue not a programming issue and thus is answered at https://serverfault.com/questions/845806/how-to-issue-ssl-certificate-with-san-extension – dave_thompson_085 Apr 29 '17 at 01:53
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. Also see [Where do I post questions about Dev Ops?](http://meta.stackexchange.com/q/134306) – jww Apr 29 '17 at 12:22
  • Also see [How do you sign Certificate Signing Request with your Certification Authority](http://stackoverflow.com/a/21340898/608639) and [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639). Pay attention to `copy_extensions` in the conf file. – jww Apr 29 '17 at 12:23

0 Answers0