通过签署 CSR 创建 x509 v3 用户证书

Question

I know how to sign a CSR using openssl , but the result certificate is an x509 v1, and not v3.

I'm using the following commands:

x509 -req -days 365 -in myCSR.csr -CA myCA.crt -CAkey myCA.key -CAcreateserial -out userCertificate.crt

I've searched but have not been able to find a solution. Is there another way to do this programmatically?

Answer 1

You need to specify an extensions file.

For example:

openssl x509 -days 365 -in myCSR.csr -extfile v3.ext -CA myCA.crt -CAkey myCA.key -CAcreateserial -out userCertificate.crt

The extensions file (v3.ext) can look like this:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

Answer 2

The answer of gtrig works if you have -req as well. It didn't work without that for me.

So the command is:

openssl x509 -req -in myCSR.csr -extfile v3.ext -CA myCA.crt -CAkey myCA.key -CAcreateserial -out userCertificate.crt  -days 365

(had to give as a new answer as I don't have enough rep. to comment).