OpenSSL - extfile parameter to pass custom config file

In this post you will see how to pass external/custom config file to openssl while signing a child certificate from Root CA. To pass external config file we will use extfile parameter.

-extfile filename

file containing certificate extensions to use. If not specified then no extensions are added to the certificate.

In following command we are using this parameter to override default extensions by providing our custom extension file my-openssl-client-auth.cnf. In this file we can only provide the extensions which we need to override.

openssl x509 -req -days 365 -in childcertificate.csr -CA mycertificate.crt 
		-CAkey mycertificate.key -set_serial 01 -out childcertificate.crt 
		-extfile C:\Test\Openssl\my-openssl-client-auth.cnf

In this exmaple, our custom extension file(my-openssl-client-auth.cnf) contains the following content to override only one extension property extendedKeyUsage

extendedKeyUsage = clientAuth

clientAuth tells the openssl to create certificate for the purpose of only Client Authentication.

References:

• https://www.openssl.org/docs/man1.0.2/man1/x509.html

Related Post(s):

• Generate Private Key, CSR and Certificate
• Sign Child Certificate with Self-Signed Root CA