Openssl x509v3 Extended Key Usage

Question

I know you can specify the purpose for which a certificate public key can be used for by adding a line like this one in the openssl.cfg file:

extendedKeyUsage=serverAuth,clientAuth

But since I have several certificates to create, each with a different extended key usage, is it possible to specify which attribute I need in the command line (without using the openssl.cfg file)? Something like:

openssl req -newkey rsa:4096 \
            -extendedKeyUsage "serverAuth,clientAuth" \
            -keyform PEM \
            -keyout server-key.pem \
            -out server-req.csr \
            -outform PEM

Thanks!

Answer 1

You can only use something like this:

openssl -extensions mysection -config myconfig.cnf 

and myconfig.cnf:

[mysection] keyUsage         = digitalSignature extendedKeyUsage = codeSigning 

I am not aware of command line interface to this functionality.

Answer 2

What I ended up doing is creating several different openssl.cfg files and refer to the proper one by using either the -config or the -extfile switch.

Answer 3

You may try addext:

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt \
    -subj '/CN=User1' \
    -addext extendedKeyUsage=1.3.6.1.4.1.311.80.1 \
    -addext keyUsage=keyEncipherment

Works on openssl 1.1.1a

Answer 4

the same as processing SAN openssl req -subj "/CN=client" -sha256 -new -key client-key.pem -out client.csr\ -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com\nextendedKeyUsage=serverAuth,clientAuth"))