0

Is there a reason for not copying certificate signing request's (CSR) extensions over to certificate when creating a root CA the following way?

  1. openssl req -config openssl.cnf -new -key ca.key.pem -out ca.csr.pem -addext 'basicConstraints=critical,CA:true' -addext 'keyUsage=critical,keyCertSign'
  2. openssl x509 -req -in ca.csr.pem -signkey ca.key.pem -out ca.crt.pem

I'm aware that the single command openssl req -x509 ... does copy extensions, just wondering why using the two commands above doesn't.

Initial question:

Related question: Missing X509 extensions with an openssl-generated certificate

I know other methods exist (i.e the openssl req -x509 ...), but specifically for using two separate commands

  1. openssl req -config openssl.cnf -new -key ca.key.pem -out ca.csr.pem -addext 'basicConstraints=critical,CA:true' -addext 'keyUsage=critical,keyCertSign'
  2. openssl x509 -req -in ca.csr.pem -signkey ca.key.pem -out ca.crt.pem

to create a CA. Is there really no way to preserve the extensions from the CSR?

Cigarette Smoking Man
  • 101
  • 4
  • 2
    Does this answer your question? Missing X509 extensions with an openssl-generated certificate. Also, the documentation for x509 is quite clear in this regard: "Extensions in certificates are not transferred to certificate requests and vice versa." – Steffen Ullrich Jan 08 '21 at 17:37
  • @SteffenUllrich yes, and that is under the "bugs" (sic) section of openssl x509 man pages, so it seems that transferring extensions is something that is wanted/expected, but currently is not implemented. So I wondered if there was a roundabout way by combining flags. – Cigarette Smoking Man Jan 09 '21 at 06:59
  • @mentallurg I asked here because perhaps there is a good reason to not transfer the extensions, and this good reason would be related to security (i.e this is what PKI is for). – Cigarette Smoking Man Jan 09 '21 at 07:02
  • "I asked here because perhaps there is a good reason to not transfer the extensions, and this good reason would be related to security ..." - It would have been better if you then ask exactly this, but you did not. In general a CA should not blindly sign everything somebody has put into a CSR, but it should only include the things it expects there and which fit the purpose of the certificate. – Steffen Ullrich Jan 09 '21 at 09:03
  • @SteffenUllrich I changed the question. What you said ("in general a CA should not blindly sign everything somebody has put into a CSR") makes sense: since creating CAs is much less frequent than signing CSRs for leaf certificates which could come from anyone. – Cigarette Smoking Man Jan 09 '21 at 11:38

0 Answers0