I'm using openssl on Mac OS X 10.9 to generate a self-signed certificate for Windows Server Remote Desktop Services.
Using the command below I can generate the certificate,
openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout myserver.key -out myserver.crt
However, I need to add an extended key usage string Server Authentication (1.3.6.1.5.5.7.3.1) and I can't figure out how to do it in the command above.
I have tried using the openssl option -extfile with a file containing this,
[= default ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
However, I get an error that "-extfile option is not found"
Best Answer
While
openssl x509
uses-extfile
, the command you are using,openssl req
, needs-config
to specify the configuration file.So, you might use a command like this:
The usual prompts for the distinguished name bits are defined in the default configuration file (which is probably
/System/Library/OpenSSL/openssl.cnf
on OS X), but this file is not processed when you use-config
, so your configuration file must also include some DN bits. Thus, the above-referencedcert_config
might look something like this:As indicated in the comment, you can probably leave out most of the DN fields. For HTTPS usage, I think all you need is a CN that matches your hostname.
The Distinguished Name and Attribute Section Format section of req(1) shows how you could modify the above configuration to prompt for values (and provide default values) if you wanted to generate multiple similar certificates/requests.
If you need other certificate extensions, check x509v3_config(5) for what other bits you can specify in extension sections.