openssl csr generation with basicConstraint=CA:False



  • I would like to know how to use the -extensions parameter of openssl req command to generate a csr with basicConstraint=CA:False, Please not i do not want to use a ssl configuration file but to generate the csr with command line only without referring to a openssl.cnf file. Is this possible ?

    Thank you.



  • ... how to use the -extensions parameter of openssl req command to generate a csr with basicConstraint=CA:False

    The -extensions parameter is not used at all when generating a CSR. It is used for generating certificate extensions when generating a certificate (when -x509 option is given). For specifying request extensions the (i.e. for the CSR) the -reqexts option has to be used.

    Up until OpenSSL 1.1.1 there was no way in the openssl req command itself to do what you want, i.e. not using a config file. Depending on the OS there might be a way though to "magically" create a config file on the fly and use it. For example in Linux with bash shell the following can be done:

    $ openssl req -new -key key.pem -out req.pem -reqexts bc \
      -config <(cat /etc/ssl/openssl.cnf; printf "[bc]\nbasicConstraints=CA:false\n")
    

    OpenSSL 1.1.1 added the option -addext and now it can be written like this (thanks to dave_thompson_085 to point out):

    $ openssl req -new -key key.pem -out req.pem \
       -addext "basicConstraints=CA:false"
    

Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2