How can I make a CA certificate with `certtool`?

Question

I can make a self-signed CA certificate with the openssl command by putting the line basicConstraints = critical,CA:true in the appropriate section of a configuration file and using it:

openssl req -new -x509 -config myconfig.cnf ...

But I'm having difficulty doing the same thing using the certtool command instead. It seems like I should be able to add the same line to a template file passed via the --template=FILE switch, but that line isn't recognized.

I found basicConstraints is OID number 2.5.29.19 (at oid-info.com), so I should be able to add a line like this: add_extension = "2.5.29.19 critical,CA:true". But that fails too. Apparently the parameter after the OID must be numeric.

Looking at the codes on page 119 of RFC2459, I thought this string might work. The syntax is accepted, but still doesn't produce a CA: add_extension = "2.5.29.19 0xff010103300504ff0101"

So how can I make certtool insert extension critical,CA:true to create a CA certificate?

score 1 · Accepted Answer · answered Jun 08 '20 at 07:41

1

Interactively, when running certtool --generate-self-signed …, you just answer positively to the question Does the certificate belong to an authority? (y/N).

In the template, you can add the ca key, as the man page says:

# Whether this is a CA certificate or not
ca

answered Jun 08 '20 at 07:41

Daniel

26
1

Good grief. So simple. It works. I looked at that many times. I wonder why I didn't see. – Ken Jackson Jun 09 '20 at 16:01

How can I make a CA certificate with `certtool`?

1 Answers1