1

I would like to know how to use the -extensions parameter of openssl req command to generate a csr with basicConstraint=CA:False, Please not i do not want to use a ssl configuration file but to generate the csr with command line only without referring to a openssl.cnf file. Is this possible ?

Thank you.

choppe
  • 113
  • 4
  • Neardupe https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-command-line (but basicConstraints has an s at the end) – dave_thompson_085 Jun 12 '21 at 23:38

1 Answers1

2

... how to use the -extensions parameter of openssl req command to generate a csr with basicConstraint=CA:False

The -extensions parameter is not used at all when generating a CSR. It is used for generating certificate extensions when generating a certificate (when -x509 option is given). For specifying request extensions the (i.e. for the CSR) the -reqexts option has to be used.

Up until OpenSSL 1.1.1 there was no way in the openssl req command itself to do what you want, i.e. not using a config file. Depending on the OS there might be a way though to "magically" create a config file on the fly and use it. For example in Linux with bash shell the following can be done:

$ openssl req -new -key key.pem -out req.pem -reqexts bc \
  -config <(cat /etc/ssl/openssl.cnf; printf "[bc]\nbasicConstraints=CA:false\n")

OpenSSL 1.1.1 added the option -addext and now it can be written like this (thanks to dave_thompson_085 to point out):

$ openssl req -new -key key.pem -out req.pem \
   -addext "basicConstraints=CA:false"
Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434