[gnutls-help] certtool - key encipherment (X.509v3 extension)

Nikos Mavrogiannopoulos nmav at gnutls.org
Tue Dec 15 11:55:52 CET 2015

On Mon, Dec 14, 2015 at 10:31 AM, Tobias --- <tobbe.se at gmail.com> wrote:
> 2015-12-14 9:43 GMT+01:00 Nikos Mavrogiannopoulos <nmav at gnutls.org>:
>> On Sun, Dec 13, 2015 at 9:34 PM, Tobias --- <tobbe.se at gmail.com> wrote:
>> > Hello!
>> >
>> > I'm trying to create a certificate that contains the necessary options
>> > to
>> > let libvirtd service work to as intended with remote control over TLS.
>> >
>> > I have created my own CA using certtool and the problem that I'm having
>> > is
>> > with the server certificate.
>> > The template that I'm using when I create the CSR is as follows:
>> > organization = "Local libvirtd"
>> > unit = "libvirtd server"
>> > cn = "oink"
>> > country = "SE"
>> > state = "Sweden"
>> > expiration_days = 1095
>> > tls_www_server
>> > signing_key
>> > encryption_key
>> > I've also tried to make certtool honour the extensions which it does to
>> > a
>> > certain degree. The "encryption_key" is not honored even if I try to
>> > enforce
>> > it using the "honour_crq_extensions" option as well as using the above
>> > template when I sign the CSR with the CA. The resulting PEM-encoded
>> > certificate generates the following error during startup of libvirtd:

Note that the option is honor_crq_extensions.

> The reason that I'm creating a CSR and then a CRT is because I'm going to
> create multilple certificates. I need to create certificates for my client
> to so I want to do it the same way for both server and client. I am aware
> that I can create the certificate in one go. The commands that I use are as
> follow:
> certtool --generate-request --load-privkey serverkey.pem --template
> server.info --outfile servercsr.pem --hash=sha512
> # The template "server.info" is what I pasted in the first post.
> certtool --generate-certificate --load-ca-certificate cacert.pem
> --load-ca-privkey cakey.pem --template server.info --load-request
> servercsr.pem --outfile servercert.pem --hash=sha512
> # If I give it the template here then I don't get a bunch of questions. If I
> don't then I get what I specified for the CSR but if I answer YES to the
> question about TLS web server then I get that extension listed twice in the
> certificate.

Key purposes are not overwritten but appended so if it is already
specified by the client and set by the server you'll see it twice.

> If I omit the template and answer the questions then I don't
> get any question regarding key encipherment and I still get the same result.
> I get the same result regardless of what I do.

I cannot however reproduce (with honor_crq_extensions) your issue. I
see both Digital signature and Key encipherment in the generated


More information about the Gnutls-help mailing list