Menu
I'd like to include a basicConstraints=CA:TRUE,pathlen:0 constraint in my self signed CA creation script and it would go a very long way to simplify my procedure if I didn't have to create a config file and all the folder structure of a proper CA.
I'm trying to create an intermediate cert that can only sign end certs, not further CAs. I will be using bouncycastle to sign all further certs, the folder structure I would need to create for a proper CA will not be used anyway.
403
Basic Constraints. This is a multi valued extension which indicates whether a certificate is a CA certificate. The first (mandatory) name is CA followed by TRUE or FALSE. If CA is TRUE then an optional pathlen name followed by an non-negative value can be included.
This is a CA certificate. A non-CA cert would have CA:FALSE (or not have the extension at all). Caveat: you need to include these extensions in your request AND make sure the CA does not override them when signing the request. Follow this answer to receive notifications.
The distinguished_name section, which specifies the Distinguished Name fields required when the openssl req command is creating a certificate request or a self-signed certificate. The actual name of this section is specified in the distinguished_name entry in the req section.
basicConstraints without openssl.cnf I couldn't see how to avoid using it entirely but using the default config and commenting out anything you set by commandline seems efficient enough.
-addext which can be used multiple timesGiven an already-existing privkey.pem and with the caveat that e.g. /etc/ssl/openssl.cnf does not have conflicting instructions, the following seems to do it without the bashism.
DAYS='240' SUBJECT='/CN=example.com/O=Example Co./OU=Engineering/L=Boston/ST=MA/C=US' SERIAL='0x1001' openssl req \ -addext basicConstraints=critical,CA:TRUE,pathlen:1 \ -outform pem -out cacert.pem \ -key privkey.pem -new -x509 \ -days "${DAYS}" \ -subj "${SUBJECT}" \ -set_serial "${SERIAL}" If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
