0

I'm trying to create an x509 certificate with a very specific set of x509v3 Extensions from a CSR (that already has these Extensions set). I have a CSR in PEM form (?). It looks like this:

-----BEGIN CERTIFICATE REQUEST-----
MIIEjDCCAnQCAQAwFT...
...EQFqw==
-----END CERTIFICATE REQUEST-----

I'm trying to sign it by piping it through libressl (I'm on a Mac) and using the installed openssl tool to sign the request with a Root CA Cert that I've already trusted on my machine. The process looks like this:

echo "-----BEGIN CERTIFICATE REQUEST-----\nMIIE...qw==\n-----END CERTIFICATE REQUEST-----\n" | openssl x509 -req -days 3650 -CA trusted_cert.pem -CAkey trusted_key.pem -CAcreateserial -out output_crt.pem -sha512 -extfile /usr/local/etc/openssl/openssl.cnf -extensions my_ca

libressl isn't 100% "overlay compatible" with openssl (which might be causing this headache). So where openssl would have a -config flag, libressl appears to have a -extfile flag. This already bit me once moving code from libressl to openssl.

The my_ca section in openssl.cnf looks like this:

[ my_ca ]

# Extension copying option: use with caution.
copy_extensions = copy

default_days    = 365                   # how long to certify for
default_crl_days= 30                    # how long before next CRL
default_md      = default               # use public key default MD
preserve        = no                    # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy          = policy_match

From what I understand of openssl (and, reading through the lines, libressl), the copy_extensions = copy in this section should cause the extensions in the CSR to be copied to the output x509 certificate. However, when libressl is called with the echo form above, I get the following errors:

Error Loading extension section my_ca
4592432748:error:22FFF082:X509 V3 routines:func(4095):unknown extension name:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/crypto/x509v3/v3_conf.c:127:
4592432748:error:22FFF080:X509 V3 routines:func(4095):error in extension:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/crypto/x509v3/v3_conf.c:96:name=copy_extensions, value=copy

I assumed that as soon as I was able to get libressl to load that section, it would understand the copy_extensions directive - this does not appear to be the case. How can I author a config file so that libressl will copy extensions from a CSR into the resulting certificate?

As reference, my version of libressl is as follows:

openssl version -a
LibreSSL 2.6.5
built on: date not available
platform: information not available
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: information not available
OPENSSLDIR: "/private/etc/ssl"
distortedsignal
  • 111
  • 4
  • I don't know what you mean by 'overlay compatible' and I don't use Libre, but I doubt this is an incompatibility. _Real OpenSSL_ `x509 -req` does not take an option `-config` and does not accept in the `-extensions` section the settings you show. In particular `x509 -req` does not support `copy_extensions` at all ever. There are Qs about this exact point on other stacks. The settings you show are supported in OpenSSL _only_ by `ca` _not_ `x509 -req`, and I'd bet Libre is the same. – dave_thompson_085 Jan 04 '20 at 04:35
  • Thanks for the pointers, @dave_thompson_085 - I don't think that you gave me the correct answers, but you pointed me to the place where they were. – distortedsignal Jan 06 '20 at 17:20

1 Answers1

1

So @dave_thompson_085 pointed me in the right direction, and I figured out how to get this to work, even though it was kind of disappointing.

copy_extensions does not work the way I thought it did. It appears (according to dave) that it doesn't work with x509 -req at all.

Instead, the way that I got around this was to create a small section of an openssl conf file with the appropriate permissions, and then sign the CSRs with the new section passed in to the extensions argument. A truncated example follows:

echo "-----BEGIN CERTIFICATE REQUEST-----\nMI...E=\n-----END CERTIFICATE REQUEST-----\n" | openssl x509 -req -days 3650 -CA my_cert.pem -CAkey my_key.pem -CAcreateserial -out new_cert.pem -sha512 -extfile /usr/local/etc/openssl/openssl.cnf -extensions my_ca

Section from the openssl.cnf file:

...
####################################################################
[ my_ca ]

basicConstraints = critical,CA:TRUE
keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign
####################################################################
...
distortedsignal
  • 111
  • 4