[gnutls-help] certtool and add_extension

Nicolas Mora nicolas at babelouest.org
Wed Dec 11 15:48:30 CET 2019


10 décembre 2019 09:22 "Nikos Mavrogiannopoulos" <nmav at gnutls.org> a écrit:

> Could you minimize the commands needed to reproduce the issue you are
> describing?
> 
Here is a minimal set of commands to reproduce the problem:

# Generate the ca certificate
echo add_extension = "1.3.6.1.4.1.45724.1.1.4 octet_string(0x0410CD8C395C26EDEEDE653B00797D03CA3C)" >>tmpl
certtool --generate-privkey --outfile ca.key
certtool --generate-self-signed --load-privkey ca.key --outfile ca.cert --template tmpl

# generate the client key
certtool --generate-privkey --outfile signed.key

# Example 1: create a signed certificate without request
certtool --generate-certificate --load-privkey signed.key --outfile signed.cert --load-ca-certificate ca.cert --load-ca-privkey ca.key --template tmpl

# Example 2: create a signed certificate with request
certtool --generate-request --load-privkey signed.key --outfile signed-r.csr --template tmpl
certtool --generate-certificate --load-request signed-r.csr --load-privkey signed.key --outfile signed-r.cert --load-ca-certificate ca.cert --load-ca-privkey ca.key --template tmpl

On the example 1, if I create a certificate signed with the ca.cert file without generating the request file first, the signed certificate contains the extension.
On the example 2, if I create a certificate signed with the ca.cert file using the request, the signed certificate doesn't contain the extension

/Nicolas



More information about the Gnutls-help mailing list