Openssl x509v3 Extended Key Usage

Question

I know you can specify the purpose for which a certificate public key can be used for by adding a line like this one in the openssl.cfg file:

extendedKeyUsage=serverAuth,clientAuth

But since I have several certificates to create, each with a different extended key usage, is it possible to specify which attribute I need in the command line (without using the openssl.cfg file)? Something like:

openssl req -newkey rsa:4096 \
            -extendedKeyUsage "serverAuth,clientAuth" \
            -keyform PEM \
            -keyout server-key.pem \
            -out server-req.csr \
            -outform PEM

Thanks!

score 40 · Answer 1 · answered Nov 19 '13 at 15:22

40

You can only use something like this:

openssl -extensions mysection -config myconfig.cnf

and myconfig.cnf:

[mysection]
keyUsage         = digitalSignature
extendedKeyUsage = codeSigning

I am not aware of command line interface to this functionality.

answered Nov 19 '13 at 15:22

patrikbeno

1,114
9
23

5

I get this: `unable to find 'distinguished_name' in config` – Marinos An Aug 30 '17 at 07:17
3

@MarinosAn, given config contains only parts relevant to the question. You may have to provide few more extra parameters. This is out of the scope of the original question. – patrikbeno Oct 02 '17 at 07:26

score 21 · Answer 2 · answered Jan 29 '20 at 21:54

21

You may try addext:

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt \
    -subj '/CN=User1' \
    -addext extendedKeyUsage=1.3.6.1.4.1.311.80.1 \
    -addext keyUsage=keyEncipherment

Works on openssl 1.1.1a

answered Jan 29 '20 at 21:54

Mike Twc

2,230
2
14
19

1

What is the sequence `1.3.6.1.4.1.311.80.1` stands for? should be replaced with `extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection`? – alijandro Oct 19 '20 at 02:23
this is Microsoft specific extension (PKI) (I guess there is no corresponding name in openssl) This is more like an example that you can use OID rather than using names (which you might not known) – Mike Twc Oct 19 '20 at 13:32
@cactuschibre it won't work on older versions. Which one you are using? – Mike Twc Jul 07 '21 at 15:26

score 14 · Answer 3 · answered Jun 13 '13 at 16:23

14

What I ended up doing is creating several different openssl.cfg files and refer to the proper one by using either the -config or the -extfile switch.

answered Jun 13 '13 at 16:23

David Caissy

2,181
5
24
26

8

you might want to "accept" your own answer (so it won't show up as unanswered question anymore) – umläute Aug 06 '13 at 07:19

score 6 · Answer 4 · answered Jul 30 '18 at 08:40

the same as processing SAN openssl req -subj "/CN=client" -sha256 -new -key client-key.pem -out client.csr\ -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com\nextendedKeyUsage=serverAuth,clientAuth"))

KUL · Answer 5 · 2020-12-16T23:47:18.163

3

Mike Twc, https://stackoverflow.com/users/7775187/mike-twc absolutely right! Unfortunately, there is not enough reputation to mark his answer as correct and add an extension to his answer, so I write a new answer ... You need to use -addext, but keep in mind that the key->value parameter is here, and all values must be separated by commas.

openssl req -x509 -nodes -newkey rsa:4096 -keyout efs.key -out efs.crt -days 36500 -subj '/CN=EFS/O=Company' -addext 'extendedKeyUsage=1.3.6.1.4.1.311.10.3.4,1.3.6.1.4.1.311.10.3.4.1'

edited Dec 16 '20 at 23:47

answered May 19 '20 at 07:44

KUL

391
2
15

you can add a comment to that answer instead of a separate answer – dtech Aug 27 '20 at 11:57
@dtech due to rating limits, I couldn't do it before – KUL Aug 28 '20 at 12:57

score 3 · Answer 6 · answered Sep 07 '21 at 13:03

With recent version of OpenSSL you can use -addext option to add extended key usage.

For you specific case this should looks like :

openssl req -newkey rsa:4096 \                          
            -addext "extendedKeyUsage = serverAuth, clientAuth" \
            -keyform PEM \
            -keyout server-key.pem \
            -out server-req.csr \
            -outform PEM

You can verify the output with :

openssl req -noout -text  -in server-req.csr

A more common use case is to also set subject and key usage.

With same example :

openssl req -newkey rsa:4096 \
            -subj '/CN=My Name' \
            -addext "keyUsage = digitalSignature,keyAgreement" \
            -addext "extendedKeyUsage = serverAuth, clientAuth" \
            -keyform PEM \
            -keyout server-key.pem \
            -out server-req.csr \
            -outform PEM

Openssl x509v3 Extended Key Usage

6 Answers6

Linked