1

I am using open ssl on 'windows 2012R2' to generate a self-signed certificate. Using the command below I can generate the certificate, openssl req -new -x509 -key ab.key -out ab.crt.

However, I need to add an extended key usage string Server Authentication (1.3.6.1.5.5.7.3.1) and I can't figure out how to do it in the command above.

I have tried to modify C:\Program Files\OpenSSL-Win64\bin\cnf\openssl.cnf. extendedKeyUsage = serverAuth.

but it was not added extended key usage string.

ashish gupta
  • 135
  • 5
  • 16
  • 1
    Where did you put it? For `req -new -x509` the extensions used are the ones in the section identified by item `x509_extensions` in section `[req]`, which with the upstream default is section `[v3_ca]`. Also how did you put it? Modern Windows (since about Vista/7) generally either does not let you change files under `\Program Files` and `\Program Files (x86)` or 'shadows' the changes so that they are discarded when the file is read. You may need to make a copy of the config file in a less protected directory (like your Documents folder) and specify that with `-config`. – dave_thompson_085 May 05 '20 at 11:05
  • 1
    Thanks @dave_thompson_085, I have added the extendedKeyUsage = serverAuth in [v3_ca]. and its worked. – ashish gupta May 05 '20 at 13:20

0 Answers0