Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Creating an x509 v3 user certificate by signing CSR

Tags:

certificate

openssl

x509

csr

code-signing-certificate

I know how to sign a CSR using openssl, but the result certificate is an x509 v1, and not v3.

I'm using the following commands:

x509 -req -days 365 -in myCSR.csr -CA myCA.crt -CAkey myCA.key -CAcreateserial -out userCertificate.crt

I've searched but have not been able to find a solution. Is there another way to do this programmatically?

like image 682
Hex-Omega Avatar asked Aug 14 '13 13:08

Hex-Omega

People also ask

How do I create a certificate signing request?

Go to Start > Administrative Tools > Internet Information Servicess (IIS) Manager. Select the server name from the left-side panel. In the center panel, double-click Server Certificates. In the Actions menu from the right-side, click Create Certificate Request.

How do I create a X509 certificate for single sign-on?

The main steps for configuring and using X.509 user-signed certificates for single sign-on authentication are: Create a local certificate authority (CA). Create a user certificate with a private key, a certificate signing request (CSR), and a public key. Generate a PFX user certificate and upload it to Chrome.

How do I create a certificate signing request (CSR)?

Create a certificate signing request (CSR) for the key. You don't need to enter a challenge password or an optional company name. You must, however, enter the device ID in the common name field. You can also enter your own values for the other parameters such as Country Name, Organization Name, and so on.

How do I create a self-signed CA certificate in Linux?

First, generate a private key and the certificate signing request (CSR) in the rootca directory. Next, create a self-signed CA certificate. Self-signing is suitable for testing purposes. Specify the ca_ext configuration file extensions on the command line.

How do I generate a client certificate using OpenSSL?

To generate a client certificate, you must first generate a private key. The following command shows how to use OpenSSL to create a private key. Create the key in the subca directory. Create a certificate signing request (CSR) for the key. You don't need to enter a challenge password or an optional company name.

2 Answers

You need to specify an extensions file.

For example:

openssl x509 -days 365 -in myCSR.csr -extfile v3.ext -CA myCA.crt -CAkey myCA.key -CAcreateserial -out userCertificate.crt

The extensions file (v3.ext) can look like this:

authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
like image 197
gtrig Avatar answered Sep 20 '22 16:09

gtrig

The answer of gtrig works if you have -req as well. It didn't work without that for me.

So the command is:

openssl x509 -req -in myCSR.csr -extfile v3.ext -CA myCA.crt -CAkey myCA.key -CAcreateserial -out userCertificate.crt  -days 365

(had to give as a new answer as I don't have enough rep. to comment).

like image 22
IoTKid Avatar answered Sep 24 '22 16:09

IoTKid
Sign in to Comment

Related questions

How to generate openssl certificate with expiry less than one day?
How to build OpenSSL with MinGW in Windows? [closed]
OpenSSL Certificate (Version 3) with Subject Alternative Name
"pip is configured with locations that require TLS/SSL, however the ssl module in Python is not available"
How do I compile Python 3.4 with custom OpenSSL?
troubles with RVM and OpenSSL
What books will help me learn everything I can about SSL/PKI? [closed]
How to import OpenSSL in python
Composer update fails while updating from packagist
How to extract the RSA public key from a .cer and store it in a .pem using OpenSSL?
Trouble understanding SSL certificate chain verification
Can't get private key with openssl (no start line:pem_lib.c:703:Expecting: ANY PRIVATE KEY)
How to install OpenSSL for Python
boost asio ssl async_shutdown always finishes with an error?
PEM routines:PEM_read_bio:bad end line
How to extract private key from pfx file using openssl? [closed]
How to use OpenSSL with Visual Studio [closed]
OpenSSL and s_client - why is a private key required from the client?
Load a RSA private key in Java (algid parse error, not a sequence)
openssl verify - error 20 at 0 depth lookup:unable to get local issuer certificate

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!