[gnutls-help] certtool and add_extension
Nicolas Mora
nicolas at babelouest.org
Wed Dec 11 15:48:30 CET 2019
10 décembre 2019 09:22 "Nikos Mavrogiannopoulos" <nmav at gnutls.org> a écrit:
> Could you minimize the commands needed to reproduce the issue you are
> describing?
>
Here is a minimal set of commands to reproduce the problem:
# Generate the ca certificate
echo add_extension = "1.3.6.1.4.1.45724.1.1.4 octet_string(0x0410CD8C395C26EDEEDE653B00797D03CA3C)" >>tmpl
certtool --generate-privkey --outfile ca.key
certtool --generate-self-signed --load-privkey ca.key --outfile ca.cert --template tmpl
# generate the client key
certtool --generate-privkey --outfile signed.key
# Example 1: create a signed certificate without request
certtool --generate-certificate --load-privkey signed.key --outfile signed.cert --load-ca-certificate ca.cert --load-ca-privkey ca.key --template tmpl
# Example 2: create a signed certificate with request
certtool --generate-request --load-privkey signed.key --outfile signed-r.csr --template tmpl
certtool --generate-certificate --load-request signed-r.csr --load-privkey signed.key --outfile signed-r.cert --load-ca-certificate ca.cert --load-ca-privkey ca.key --template tmpl
On the example 1, if I create a certificate signed with the ca.cert file without generating the request file first, the signed certificate contains the extension.
On the example 2, if I create a certificate signed with the ca.cert file using the request, the signed certificate doesn't contain the extension
/Nicolas
More information about the Gnutls-help
mailing list