[gnutls-help] certtool and add_extension

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Dec 12 07:07:11 CET 2019


On Wed, 2019-12-11 at 14:48 +0000, Nicolas Mora wrote:
> 10 décembre 2019 09:22 "Nikos Mavrogiannopoulos" <nmav at gnutls.org> a
> écrit:
> 
> > Could you minimize the commands needed to reproduce the issue you
> > are
> > describing?
> > 
> Here is a minimal set of commands to reproduce the problem:
> 
> # Generate the ca certificate
> echo add_extension = "1.3.6.1.4.1.45724.1.1.4
> octet_string(0x0410CD8C395C26EDEEDE653B00797D03CA3C)" >>tmpl
> certtool --generate-privkey --outfile ca.key
> certtool --generate-self-signed --load-privkey ca.key --outfile
> ca.cert --template tmpl
> 
> # generate the client key
> certtool --generate-privkey --outfile signed.key
> 
> # Example 1: create a signed certificate without request
> certtool --generate-certificate --load-privkey signed.key --outfile
> signed.cert --load-ca-certificate ca.cert --load-ca-privkey ca.key --
> template tmpl
> 
> # Example 2: create a signed certificate with request
> certtool --generate-request --load-privkey signed.key --outfile
> signed-r.csr --template tmpl
> certtool --generate-certificate --load-request signed-r.csr --load-
> privkey signed.key --outfile signed-r.cert --load-ca-certificate
> ca.cert --load-ca-privkey ca.key --template tmpl
> 
> On the example 1, if I create a certificate signed with the ca.cert
> file without generating the request file first, the signed
> certificate contains the extension.
> On the example 2, if I create a certificate signed with the ca.cert
> file using the request, the signed certificate doesn't contain the
> extension

When generating a certificate from a certificate request you should
add:
honor_crq_extensions

to the template. Otherwise they are ignored.

regards,
Nikos





More information about the Gnutls-help mailing list