Creating an x509 v3 user certificate by signing CSR

I know how to sign a CSR using openssl, but the result certificate is an x509 v1, and not v3.

I'm using the following commands:

x509 -req -days 365 -in myCSR.csr -CA myCA.crt -CAkey myCA.key -CAcreateserial -out userCertificate.crt

I've searched but have not been able to find a solution. Is there another way to do this programmatically?

You need to specify an extensions file.

For example:

openssl x509 -days 365 -in myCSR.csr -extfile v3.ext -CA myCA.crt -CAkey myCA.key -CAcreateserial -out userCertificate.crt

The extensions file (v3.ext) can look like this:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

来源：https://stackoverflow.com/questions/18233835/creating-an-x509-v3-user-certificate-by-signing-csr

标签

易学教程内所有资源均来自网络或用户发布的内容，如有违反法律规定的内容欢迎反馈！
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!