Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is there anyway to specify basicConstraints for openssl cert via command line

Tags:

I'd like to include a basicConstraints=CA:TRUE,pathlen:0 constraint in my self signed CA creation script and it would go a very long way to simplify my procedure if I didn't have to create a config file and all the folder structure of a proper CA.

I'm trying to create an intermediate cert that can only sign end certs, not further CAs. I will be using bouncycastle to sign all further certs, the folder structure I would need to create for a proper CA will not be used anyway.

like image 403
Lev Kuznetsov Avatar asked Apr 28 '16 16:04

Lev Kuznetsov

People also ask

What is basicConstraints CA true?

Basic Constraints. This is a multi valued extension which indicates whether a certificate is a CA certificate. The first (mandatory) name is CA followed by TRUE or FALSE. If CA is TRUE then an optional pathlen name followed by an non-negative value can be included.

What is non CA certificate?

This is a CA certificate. A non-CA cert would have CA:FALSE (or not have the extension at all). Caveat: you need to include these extensions in your request AND make sure the CA does not override them when signing the request. Follow this answer to receive notifications.

What is Distinguished_name in OpenSSL?

The distinguished_name section, which specifies the Distinguished Name fields required when the openssl req command is creating a certificate request or a self-signed certificate. The actual name of this section is specified in the distinguished_name entry in the req section.

1 Answers

Adding basicConstraints without openssl.cnf

I couldn't see how to avoid using it entirely but using the default config and commenting out anything you set by commandline seems efficient enough.

Utilize -addext which can be used multiple times

Given an already-existing privkey.pem and with the caveat that e.g. /etc/ssl/openssl.cnf does not have conflicting instructions, the following seems to do it without the bashism.

DAYS='240' SUBJECT='/CN=example.com/O=Example Co./OU=Engineering/L=Boston/ST=MA/C=US' SERIAL='0x1001'  openssl req \     -addext basicConstraints=critical,CA:TRUE,pathlen:1 \     -outform pem -out cacert.pem \     -key privkey.pem -new -x509 \     -days "${DAYS}" \     -subj "${SUBJECT}" \     -set_serial "${SERIAL}"
like image 186
Andrew Siplas Avatar answered Oct 06 '22 04:10

Andrew Siplas
Sign in to Comment

Related questions

C strange macro syntax
c++ warning: enumeration value not handled in switch [-Wswitch]
How to disable pom.xml validation in IntelliJ IDEA
Inheritance for builders in lombok
Too many arguments provided to function-like macro invocation [duplicate]
dispatch_barrier_async equivalent in Swift 3
How to get input from fingerprint scanner and save it [closed]
PHP round to integer
Why were JUnit Jupiter and JUnit Vintage separated When I Running TestCase in IntelliJ?
pandas: groupby and aggregate without losing the column which was grouped
What is routing? Why is "routing" needed in single page web apps?
Swift 3: Can not convert value of type 'int' to expected argument type 'DispatchQueue.GlobalQueuePriority'

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!