https://stackoverflow.com/questions/19163484
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianAfter reasearching for some time, it appears that this is not possible since you don't know the CA when you are creating a certificate request...
Adding AuthorityKeyIdentifier to a CertRequest
-
30-06-2022 - |
Question
I am having problem using the exemple provided by OpenSSL to create a certificate Request with v3 extensions. This entire code can be found in the mkreq.c in Openssl/demos/x509/
Adding some x509v3 extensions to a cert request is working good. I can add the Key usage or a subject alt name
add_ext(exts, NID_key_usage, "critical,digitalSignature,keyEncipherment");
add_ext(exts, NID_subject_alt_name, "email:steve@openssl.org");
but when I try to add an AuthorityKeyIdentifier this is not working...
add_ext(exts, NID_authority_key_identifier, "keyid,issuer");
The add_ext is also provided in the mkreq :
int add_ext(STACK_OF(X509_REQUEST) *sk, int nid, char *value)
{
X509_EXTENSION *ex;
ex = X509V3_EXT_conf_nid(NULL, NULL, nid, value);
if (!ex)
return 0;
sk_X509_EXTENSION_push(sk, ex);
return 1;
}
Do somebody have a clue why some extensions are working and some not ? When I add the same extensions for self-signed its working well...
Solution
OTHER TIPS
I find the following worthwhile to share, though I am not sure this is relevant to your situation.
When generating self signed certs on the command line, the order of some extensions is important. If you want the keyid to be used as the authority key id, you must declare the subjectKeyIdentifier first.
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
In that case authorityKeyIdentifier will be filled with the keyid, and issuer will not be used.
If you declare in the opposite order, authorityKeyIdentifier will be filled with the issuer instead. Possibly because the program tries to init authorityKeyIdentifier based on subjectKeyIdentifier.
If you declared authorityKeyIdentifier = keyid:always, then a hard error is thrown because keyid is not known.
I hope it will help someone. It took me a while to tackle that one.
Also avoid CA constraint
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
