33

I know how to sign a CSR using openssl, but the result certificate is an x509 v1, and not v3.

I'm using the following commands:

x509 -req -days 365 -in myCSR.csr -CA myCA.crt -CAkey myCA.key -CAcreateserial -out userCertificate.crt

I've searched but have not been able to find a solution. Is there another way to do this programmatically?

jww
  • 83,594
  • 69
  • 338
  • 732
Hex-Omega
  • 393
  • 1
  • 3
  • 7

2 Answers2

48

You need to specify an extensions file.

For example:

openssl x509 -days 365 -in myCSR.csr -extfile v3.ext -CA myCA.crt -CAkey myCA.key -CAcreateserial -out userCertificate.crt

The extensions file (v3.ext) can look like this:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
gtrig
  • 10,294
  • 5
  • 25
  • 33
  • 5
    This might be a good place to say that You can specify the *SAN* (Subject Alternative Names) in the extension file by adding a line: `subjectAltName=DNS:hostname, IP:192.168.7.1`. You can leave out the DNS or IP part, but don't forget to remove the comma then. [More info here](https://www.openssl.org/docs/manmaster/man5/x509v3_config.html). – Aleksandar Aug 16 '18 at 12:04
1

The answer of gtrig works if you have -req as well. It didn't work without that for me.

So the command is:

openssl x509 -req -in myCSR.csr -extfile v3.ext -CA myCA.crt -CAkey myCA.key -CAcreateserial -out userCertificate.crt  -days 365

(had to give as a new answer as I don't have enough rep. to comment).

IoTKid
  • 71
  • 4