[gnutls-help] certtool and add_extension

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Dec 12 09:50:34 CET 2019 

Hmm, actually what was the intention? Was the intention to read the
extension from the certificate request, or to read the extension from
the certificate template on the last step?


On Thu, Dec 12, 2019 at 7:07 AM Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
>
> On Wed, 2019-12-11 at 14:48 +0000, Nicolas Mora wrote:
> > 10 décembre 2019 09:22 "Nikos Mavrogiannopoulos" <nmav at gnutls.org> a
> > écrit:
> >
> > > Could you minimize the commands needed to reproduce the issue you
> > > are
> > > describing?
> > >
> > Here is a minimal set of commands to reproduce the problem:
> >
> > # Generate the ca certificate
> > echo add_extension = "1.3.6.1.4.1.45724.1.1.4
> > octet_string(0x0410CD8C395C26EDEEDE653B00797D03CA3C)" >>tmpl
> > certtool --generate-privkey --outfile ca.key
> > certtool --generate-self-signed --load-privkey ca.key --outfile
> > ca.cert --template tmpl
> >
> > # generate the client key
> > certtool --generate-privkey --outfile signed.key
> >
> > # Example 1: create a signed certificate without request
> > certtool --generate-certificate --load-privkey signed.key --outfile
> > signed.cert --load-ca-certificate ca.cert --load-ca-privkey ca.key --
> > template tmpl
> >
> > # Example 2: create a signed certificate with request
> > certtool --generate-request --load-privkey signed.key --outfile
> > signed-r.csr --template tmpl
> > certtool --generate-certificate --load-request signed-r.csr --load-
> > privkey signed.key --outfile signed-r.cert --load-ca-certificate
> > ca.cert --load-ca-privkey ca.key --template tmpl
> >
> > On the example 1, if I create a certificate signed with the ca.cert
> > file without generating the request file first, the signed
> > certificate contains the extension.
> > On the example 2, if I create a certificate signed with the ca.cert
> > file using the request, the signed certificate doesn't contain the
> > extension
>
> When generating a certificate from a certificate request you should
> add:
> honor_crq_extensions
>
> to the template. Otherwise they are ignored.
>
> regards,
> Nikos
>
>

More information about the Gnutls-help mailing list