how to create a legacy (v1 or v2) X.509 cert for testing

Question

I have to write a test case against new code which checks to make sure that an X.509 cert is version 3, but I need some legacy (v1/v2) certs to use during testing to verify that the code works.

I'm trying to generate the certs using openssl on a Mac. All i get are v3 certs.

I've read thru the openssl manpage and see nothing about creating v1 or v2 certs.

Aside from setting up an old OS on old hardware and installing an old version of openssl, are there any ideas for generating old certs or converting v3 certs to v1/v2?

Answer 1

A key difference between Version 1 and Version 3 certificates is the addition of certificate extensions in Version 3.

Take a look at the OpenSSL ca command documentation. The doc for the -extensions section option explains:

the section of the configuration file containing certificate extensions to be added when a certificate is issued (defaults to x509_extensions unless the -extfile option is used). If no extension section is present then, a V1 certificate is created. If the extension section is present (even if it is empty), then a V3 certificate is created. See the:w x509v3_config(5) manual page for details of the extension section format.

To create a Version 1 certificate, point your openssl command a configuration file without the extension section. A quick way to remove the section is to comment out or delete the lines reading x509_extensions = <...>.

You should then be able to generate Version 1 certificates by running the usual commands. For example:

openssl genrsa -out ca.key 1024
openssl req -new -key ca.key -out ca.csr -config /path/to/config-file
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt