Error when trying to add custom extensions to X509 certificates using openSSL

opensslself-signed-certificatex509

I am trying to add custom extensions to my self-signed certificate.
I tried the following

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -extfile myconfig.cnf -extensions v3_req

Error is

unknown option -extfile

myconfig.cnf

[req]
req_extensions = v3_req

[v3_req]
1.2.3.4.5.6.7.8=ASN1:UTF8String:Something

when I remove -extfile myconfig.cnf -extensions v3_req, I see cert.pem created successfully.

I do see -extfile is not a valid option. However, I see other posts suggesting the same
Openssl Custom Extension

EDIT

I used -config instead of -extfile but I get the following error

unable to find 'distinguished_name' in config
problems making Certificate Request
4646921836:error:0EFFF06C:configuration file routines:CRYPTO_internal:no value:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/crypto/conf/conf_lib.c:322:group=req name=distinguished_name

Best Answer

Your configuration file contains two small errors:

When called with -x509 req does not look for the req_extensions, but the x509_extensions section,
Your configuration file does not contain a distinguished name attribute, which is the only certificate attribute without a default value.

Therefore a minimal configuration file would look like this:

[ req ]
distinguished_name = dn
x509_extensions = extensions
prompt = no

[ extensions ]
1.2.3.4 = ASN1:UTF8String:Something

[ dn ]
0.DC = com
1.DC = example
commonName = example.com

The prompt option disables prompting for the distinguished name RDNs. You can generate your certificate with:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem\
-days 365 -config myconfig.cnf

A more complete example should, of course, include some standard extensions in the [ extensions ] section, which you can find in the standard OpenSSL config:

# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true

Related Solutions

How to get iPXE to boot from HTTPS server with self signed cert

You need to add your certificate to the CA used by ipxe.

Another solution would be to create a private CA (a root certificate that you will use to sign the host certificates), then configure ipxe to use this CA. See: http://ipxe.org/cfg/crosscert

The best solution is to sign your certificates by a public CA.

OpenSSL Warning While Using x509 Purpose Command

Is that your own self-signed root CA, or an older Verisign V1 Root CA or similar? Because that would generate a warning. From the manual (emphasis mine)

The basicConstraints extension CA flag is used to determine whether the certificate can be used as a CA. If the CA flag is true then it is a CA, if the CA flag is false then it is not a CA. All CAs should have the CA flag set to true.

If the basicConstraints extension is absent then the certificate is considered to be a "possible CA" other extensions are checked according to the intended use of the certificate. A warning is given in this case because the certificate should really not be regarded as a CA: however it is allowed to be a CA to work around some broken software.

If the certificate is a V1 certificate (and thus has no extensions) and it is self signed it is also assumed to be a CA but a warning is again given: this is to work around the problem of Verisign roots which are V1 self signed certificates.

The code=3 might have to do with the fact that X509 v3 extensions are missing. At least that is what a quick scan of the code suggest: ./crypto/x509v3/v3_purp.c:

/*-
 * CA checks common to all purposes
 * return codes:
 * 0 not a CA
 * 1 is a CA
 * 2 basicConstraints absent so "maybe" a CA
 * 3 basicConstraints absent but self signed V1.
 * 4 basicConstraints absent but keyUsage present and keyCertSign asserted.
 */

Downloading a couple of the old VeriSign root certificates complete reproduces your warnings:

wget https://www.symantec.com/content/en/us/enterprise/verisign/roots/Class-3-Public-Primary-Certification-Authority-G2.pem 
openssl x509 -purpose -in Class-3-Public-Primary-Certification-Authority-G2.pem
Certificate purposes:
SSL client : Yes
SSL client CA : Yes (WARNING code=3)
SSL server : Yes
SSL server CA : Yes (WARNING code=3)
Netscape SSL server : Yes
Netscape SSL server CA : Yes (WARNING code=3)
S/MIME signing : Yes
S/MIME signing CA : Yes (WARNING code=3)
S/MIME encryption : Yes
S/MIME encryption CA : Yes (WARNING code=3)
CRL signing : Yes
CRL signing CA : Yes (WARNING code=3)
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : Yes (WARNING code=3)
-----BEGIN CERTIFICATE-----
MIIDAjCCAmsCEH3Z/gfPqB63EHln+6eJNMYwDQYJKoZIhvcNAQEFBQAwgcExCzAJ
BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xh
c3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcy
MTowOAYDVQQLEzEoYykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3Jp
emVkIHVzZSBvbmx5MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMB4X
DTk4MDUxODAwMDAwMFoXDTI4MDgwMTIzNTk1OVowgcExCzAJBgNVBAYTAlVTMRcw
FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMyBQdWJsaWMg
UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYDVQQLEzEo
YykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5
MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDMXtERXVxp0KvTuWpMmR9ZmDCOFoUgRm1HP9SFIIThbbP4
pO0M8RcPO/mn+SXXwc+EY/J8Y8+iR/LGWzOOZEAEaMGAuWQcRXfH2G71lSk8UOg0
13gfqLptQ5GVj0VXXn7F+8qkBOvqlzdUMG+7AUcyM83cV5tkaWH4mx0ciU9cZwID
AQABMA0GCSqGSIb3DQEBBQUAA4GBAFFNzb5cy5gZnBWyATl4Lk0PZ3BwmcYQWpSk
U01UbSuvDV1Ai2TT1+7eVmGSX6bEHRBhNtMsJzzoKQm5EWR0zLVznxxIqbxhAe7i
F6YM40AIOw7n60RzKprxaZLvcRTDOaxxp5EJb+RxBrO6WVcmeQD2+A2iMzAo1KpY
oJ2daZH9
-----END CERTIFICATE-----

Best Answer

Related Solutions

How to get iPXE to boot from HTTPS server with self signed cert

OpenSSL Warning While Using x509 Purpose Command

Related Topic