[gnutls-devel] GnuTLS | certtool - no x509v3 extensions copied from template file - honor_crq_extensions makes no difference (#1600)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Mon Oct 28 18:45:29 CET 2024 


James created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1600



Arch Linux
gnutls 3.8.7-1
```
mailcert.conf
--------
dn = " C = US,ST = State,L = City,O = Org,OU = Operations,CN = mail_server_2 "
serial = 202410
dns_name = "*.example.net"
ip_address = "192.168.2.3"
encryption_key
tls_www_server
email_protection_key
honor_crq_extensions
```
```
certtool --generate-certificate --load-privkey mailkey.pem --load-ca-privkey cakey.pem --load-ca-certificate cacert.pem --template mailcert.conf --outfile brokenmailcert.pem
```
```
$ certtool --certificate-info --infile brokenmailcert.pem
--------
...
        Extensions:
                Basic Constraints (critical):
                        Certificate Authority (CA): FALSE
                Key Usage (critical):
                        Digital signature.
                Subject Key Identifier (not critical):
                        34a978cda35221f9d26f79592fefc2483a63fe0e
                Authority Key Identifier (not critical):
                        56c7328e3f7cc921a85ac83d1d1e79ec727b665b
...
```
"Key Purpose" is ignored, "Subject Alternative Name" is completely missing, the Before and After dates are set to 1 year, and any expiration_days setting in the template file is also ignored.

Around 2 years ago, this use to work as expected.  But now, no joy.  What's happening here?  Searching under topics like "certtool extensions" or "honor_crq_extensions" turns-up nothing pertinent. `certtool --generate-request ...` is equally devoid of Extensions settings.

Was there some change in certtool "policy"?  Or do I have a "broken" gnutls build?  Or something else?

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1600
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20241028/02e64961/attachment-0001.html>

More information about the Gnutls-devel mailing list