[gnutls-help] certtool and add_extension

Nikos Mavrogiannopoulos nmav at gnutls.org
Tue Dec 10 15:22:35 CET 2019 

Could you minimize the commands needed to reproduce the issue you are
describing?

If I do:
$ echo add_extension = "7.0.1.5 octet_string(CAFEBEAF) >>tmpl
$ certtool --generate-privkey --outfile key
$ certtool --generate-self-signed --template tmpl --load-privkey key

I see:
        Unknown extension 7.0.1.5 (not critical):
            ASCII: ......
            Hexdump: 0404cafebeaf

regards,
Nikos

On Fri, Dec 6, 2019 at 3:57 PM Nicolas Mora <nicolas at babelouest.org> wrote:
>
> Hello,
>
> 6 décembre 2019 04:54 "Nikos Mavrogiannopoulos" <nmav at gnutls.org> a écrit:
>
> > You may want to check your gnutls version. This template option was
> > added at 3.5.3.
> >
> Nevertheless, I use a Debian Buster with gnutls 3.6.7
>
> Here is a gist with the script and template files I use for my demonstration:
> https://gist.github.com/babelouest/0c5076462d52f8ecf7c33c9862681687
>
> The log file output is attached, and more specifically, the client certificate output is:
>
> Generating a signed certificate...
> X.509 Certificate Information:
>         Version: 3
>         Serial Number (hex): 736c577633f2962c130569396e9c8532394975ea
>         Validity:
>                 Not Before: Fri Dec 06 14:30:20 UTC 2019
>                 Not After: Fri Nov 20 14:30:20 UTC 2020
>         Subject: C=CA,O=babelouest,OU=Authenticator Attestation,CN=glewlwyd_packed
>         Subject Public Key Algorithm: EC/ECDSA
>         Algorithm Security Level: High (256 bits)
>                 Curve:  SECP256R1
>                 X:
>                         3d:ca:36:10:58:e0:f0:49:cc:61:47:57:ac:ee:83:60
>                         45:29:c2:23:ab:50:1f:00:50:1b:9e:8e:51:e4:e7:8d
>                 Y:
>                         58:e4:9c:5f:81:c0:dd:d7:44:8b:c9:a2:b4:04:48:16
>                         d0:f1:86:46:d2:b5:2b:be:9b:f5:ce:76:af:3a:65:e7
>         Extensions:
>                 Basic Constraints (critical):
>                         Certificate Authority (CA): FALSE
>                 Key Usage (critical):
>                         Digital signature.
>                 Subject Key Identifier (not critical):
>                         945473da3bfe497d2b712dc3cef6e4a692be8b29
>                 Authority Key Identifier (not critical):
>                         6e245f7b8f84bb602631dc9b3a33af2fb58670f3
> Other Information:
>         Public Key ID:
>                 sha1:945473da3bfe497d2b712dc3cef6e4a692be8b29
>                 sha256:9cccc45cc2996175ed3567a0033ef413309228d78b5364b8270ad962f14d49a0
>         Public Key PIN:
>                 pin-sha256:nMzEXMKZYXXtNWegAz70EzCSKNeLU2S4JwrZYvFNSaA=

More information about the Gnutls-help mailing list