[gnutls-help] certtool - key encipherment (X.509v3 extension)
nmav at gnutls.org
Tue Dec 15 11:55:52 CET 2015
On Mon, Dec 14, 2015 at 10:31 AM, Tobias --- <tobbe.se at gmail.com> wrote:
> 2015-12-14 9:43 GMT+01:00 Nikos Mavrogiannopoulos <nmav at gnutls.org>:
>> On Sun, Dec 13, 2015 at 9:34 PM, Tobias --- <tobbe.se at gmail.com> wrote:
>> > Hello!
>> > I'm trying to create a certificate that contains the necessary options
>> > to
>> > let libvirtd service work to as intended with remote control over TLS.
>> > I have created my own CA using certtool and the problem that I'm having
>> > is
>> > with the server certificate.
>> > The template that I'm using when I create the CSR is as follows:
>> > organization = "Local libvirtd"
>> > unit = "libvirtd server"
>> > cn = "oink"
>> > country = "SE"
>> > state = "Sweden"
>> > expiration_days = 1095
>> > tls_www_server
>> > signing_key
>> > encryption_key
>> > I've also tried to make certtool honour the extensions which it does to
>> > a
>> > certain degree. The "encryption_key" is not honored even if I try to
>> > enforce
>> > it using the "honour_crq_extensions" option as well as using the above
>> > template when I sign the CSR with the CA. The resulting PEM-encoded
>> > certificate generates the following error during startup of libvirtd:
Note that the option is honor_crq_extensions.
> The reason that I'm creating a CSR and then a CRT is because I'm going to
> create multilple certificates. I need to create certificates for my client
> to so I want to do it the same way for both server and client. I am aware
> that I can create the certificate in one go. The commands that I use are as
> certtool --generate-request --load-privkey serverkey.pem --template
> server.info --outfile servercsr.pem --hash=sha512
> # The template "server.info" is what I pasted in the first post.
> certtool --generate-certificate --load-ca-certificate cacert.pem
> --load-ca-privkey cakey.pem --template server.info --load-request
> servercsr.pem --outfile servercert.pem --hash=sha512
> # If I give it the template here then I don't get a bunch of questions. If I
> don't then I get what I specified for the CSR but if I answer YES to the
> question about TLS web server then I get that extension listed twice in the
Key purposes are not overwritten but appended so if it is already
specified by the client and set by the server you'll see it twice.
> If I omit the template and answer the questions then I don't
> get any question regarding key encipherment and I still get the same result.
> I get the same result regardless of what I do.
I cannot however reproduce (with honor_crq_extensions) your issue. I
see both Digital signature and Key encipherment in the generated
More information about the Gnutls-help