Creating an x509 v3 user certificate by signing CSR

StackOverflow https://stackoverflow.com/questions/18233835

Question

I know how to sign a CSR using openssl, but the result certificate is an x509 v1, and not v3.

I'm using the following commands:

x509 -req -days 365 -in myCSR.csr -CA myCA.crt -CAkey myCA.key -CAcreateserial -out userCertificate.crt

I've searched but have not been able to find a solution. Is there another way to do this programmatically?

Was it helpful?

Solution

You need to specify an extensions file.

For example:

openssl x509 -days 365 -in myCSR.csr -extfile v3.ext -CA myCA.crt -CAkey myCA.key -CAcreateserial -out userCertificate.crt

The extensions file (v3.ext) can look like this:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

OTHER TIPS

The answer of gtrig works if you have -req as well. It didn't work without that for me.

So the command is:

openssl x509 -req -in myCSR.csr -extfile v3.ext -CA myCA.crt -CAkey myCA.key -CAcreateserial -out userCertificate.crt  -days 365

(had to give as a new answer as I don't have enough rep. to comment).

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top