[gnutls-help] certtool - key encipherment (X.509v3 extension)

Tobias --- tobbe.se at gmail.com
Mon Dec 14 10:31:07 CET 2015 

2015-12-14 9:43 GMT+01:00 Nikos Mavrogiannopoulos <nmav at gnutls.org>:

> On Sun, Dec 13, 2015 at 9:34 PM, Tobias --- <tobbe.se at gmail.com> wrote:
> > Hello!
> >
> > I'm trying to create a certificate that contains the necessary options to
> > let libvirtd service work to as intended with remote control over TLS.
> >
> > I have created my own CA using certtool and the problem that I'm having
> is
> > with the server certificate.
> > The template that I'm using when I create the CSR is as follows:
> > organization = "Local libvirtd"
> > unit = "libvirtd server"
> > cn = "oink"
> > country = "SE"
> > state = "Sweden"
> > expiration_days = 1095
> > tls_www_server
> > signing_key
> > encryption_key
> > I've also tried to make certtool honour the extensions which it does to a
> > certain degree. The "encryption_key" is not honored even if I try to
> enforce
> > it using the "honour_crq_extensions" option as well as using the above
> > template when I sign the CSR with the CA. The resulting PEM-encoded
> > certificate generates the following error during startup of libvirtd:
>
> Hi,
>  Could you send the command set that reproduces that? Note however,
> that if you have access to the CA key you don't need to go through a
> CSR to generate a certificate. You can generate it directly from the
> template.
>
> regards,
> Nikos
>

Hi!

The reason that I'm creating a CSR and then a CRT is because I'm going to
create multilple certificates. I need to create certificates for my client
to so I want to do it the same way for both server and client. I am aware
that I can create the certificate in one go. The commands that I use are as
follow:

certtool --generate-request --load-privkey serverkey.pem --template
server.info --outfile servercsr.pem --hash=sha512
# The template "server.info" is what I pasted in the first post.

certtool --generate-certificate --load-ca-certificate cacert.pem
--load-ca-privkey cakey.pem --template server.info --load-request
servercsr.pem --outfile servercert.pem --hash=sha512
# If I give it the template here then I don't get a bunch of questions. If
I don't then I get what I specified for the CSR but if I answer YES to the
question about TLS web server then I get that extension listed twice in the
certificate. If I omit the template and answer the questions then I don't
get any question regarding key encipherment and I still get the same
result. I get the same result regardless of what I do.

Best regards,
Tobias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20151214/b3a212f4/attachment.html>

More information about the Gnutls-help mailing list