Error Loading extension 'copy_extensions' in Openssl

Question

While running the following command on Ubuntu 19.10, with OpenSSl 1.1.1c 28 May 2019:

openssl req -config ${CNF_FILE} -key ${PRIVATE_FILE} -new -x509 -days 10950 -sha384 -extensions v3_ca -out ${CERT_FILE}

I receive the following output:

Error Loading extension section v3_ca

140710502360256:error:22097082:X509 V3 routines:do_ext_nconf:unknown extension name:../crypto/x509v3/v3_conf.c:78:

140710502360256:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:../crypto/x509v3/v3_conf.c:47:name=copy_extensions, value=copy

With the following config file:

[ca ]
# `man ca`
default_ca = CA_default

[ CA_default ]
# Directory and file locations.
dir               = /home/ca
certs             = $dir/certs
crl_dir           = $dir/crl
new_certs_dir     = $dir/newcerts
database          = $dir/index.txt
serial            = $dir/serial
RANDFILE          = $dir/private/.rand

# The root key and root certificate.
private_key       = $dir/private/ca_ecc.key.pem
certificate       = $dir/certs/ca_ecc.cert.pem

# For certificate revocation lists.
crlnumber         = $dir/crlnumber
crl               = $dir/crl/ca.crl.pem
crl_extensions    = crl_ext
default_crl_days  = 30

# SHA-1 is deprecated, so use SHA-2 instead.
default_md        = sha256

name_opt          = ca_default
cert_opt          = ca_default
default_days      = 375
preserve          = no
policy            = policy_strict

[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only

# SHA-1 is deprecated, so use SHA-2 instead.
default_md          = sha256

# Extension to add when the -x509 option is used.
x509_extensions     = v3_ca

[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name
emailAddress                    = Email Address

# Optionally, specify some defaults.
countryName_default             = US
stateOrProvinceName_default     = My State
localityName_default            = My City
0.organizationName_default      = My Company
organizationalUnitName_default  = My Office
emailAddress_default            = certificates@certificates.com

[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
copy_extensions = copy
preserve = yes

The error eludes me, and to give some background, my attempt to is use copy_extensions so that when I pass in a subjectAltName via -addext (or via any means) to the CSR, the subjectAltName will pass into the signed cert when executing the following (the following are openssl commands for the Intermediate Cert to sign and create a client or server based cert, and it all functions fine, except for what I just stated):

openssl ${algo_GEN} -out $PRIVATE_FILE

openssl req -config $CNF_FILE -key $PRIVATE_FILE -new -addext "subjectAltName = ${SAN_LIST}" -sha384 -out $CSR_FILE << EOF





${CERT_ID}

EOF

openssl ca -batch -config $CNF_FILE -extensions ${EXTENSION} -days 375 -notext -md sha384 -in $CSR_FILE -out $CERT_FILE -passin pass:${pass_key}

Thank you for your response, but it does not "The copy_extensions directive is only understood by the openssl ca command. There is no way to copy extensions from a CSR to the certificate with the openssl x509 command." I am attempting to use ca and not x509, and I am also avoiding the use of adding the SAN to the config file because I need to add unique SANs on a regular basis without the having to use the config file. — jj_inno, Jun 29 '20 at 18:31
"I am attempting to use ca and not x509" - but your initial `openssl req` command specifies `-extensions v3_ca`, so you are indeed using it here with `req`, and not just with `ca`. — Crowman, Jun 29 '20 at 19:19
I see what you are pointing out with regards to my initial codeblock, but that same error still appears when I am creating an Intermediate CA that doesn't contain the -x509 flag. 140599418533056:error:22097082:X509 V3 routines:do_ext_nconf:unknown extension name:../crypto/x509v3/v3_conf.c:78: 140599418533056:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:../crypto/x509v3/v3_conf.c:47:name=copy_extensions, value=copy — jj_inno, Jun 29 '20 at 19:52
Unless the initially CA needs to be created without the -x509 flag and that is causing the error to appear later because it is assigned -x509, but if that is true, I'm not sure of anyway around that because, my understanding is, -x509 is needed for a self-signed cert when creating a CA. — jj_inno, Jun 29 '20 at 19:54
Can't you just create a separate config file section which doesn't include the `copy_extensions`, and specify that whenever you're not using `openssl ca`? — Crowman, Jun 29 '20 at 20:15
From what I've gathered, I need copy_extensions to be used so that I can pass SANs defined in the CSR to the signed cert created by openssl ca. — jj_inno, Jun 29 '20 at 20:34
Yes, but you only need it for the `openssl ca` command itself. It won't work with the other commands because they don't recognize it, as you're finding. — Crowman, Jun 29 '20 at 20:40
That may be so, but if it is so, do you know how I can accomplish passing SANs from the CSR to the Signed Cert with the information that you have before you? This is not an aggressive challenge, just me seeking a perspective that I may be missing here. — jj_inno, Jun 29 '20 at 20:56
I feel like I (and the duplicate answer, for that matter) have said that a few times already: use the `openssl ca` command with `copy_extensions` to create your signed cert, and don't use `copy_extensions` when creating your CSR. Using `copy_extensions` when creating your CSR makes no sense, because you're not trying to copy extensions from anywhere. — Crowman, Jun 29 '20 at 21:18
I am providing the link to the answer to this question at the bottom, but to give a summary of the answer, the 'copy_extensions' must be placed in the 'CA_default' extensions location within the config file. Same with the 'preserve' option. They can't exist where they are because the have to directly associated with the CA, not as part of an extension that is being called. https://security.stackexchange.com/questions/233964/error-loading-extension-copy-extensions-in-openssl/233967?noredirect=1#comment478816_233967 — jj_inno, Jun 30 '20 at 15:52

Error Loading extension 'copy_extensions' in Openssl

0 Answers0