October 17, 2020

OpenSSL - extfile parameter to pass custom config file

In this post you will see how to pass external/custom config file to openssl while signing a child certificate from Root CA. To pass external config file we will use extfile parameter.

-extfile filename

file containing certificate extensions to use. If not specified then no extensions are added to the certificate.

In following command we are using this parameter to override default extensions by providing our custom extension file my-openssl-client-auth.cnf. In this file we can only provide the extensions which we need to override.
openssl x509 -req -days 365 -in childcertificate.csr -CA mycertificate.crt 
		-CAkey mycertificate.key -set_serial 01 -out childcertificate.crt 
		-extfile C:\Test\Openssl\my-openssl-client-auth.cnf
In this exmaple, our custom extension file(my-openssl-client-auth.cnf) contains the following content to override only one extension property extendedKeyUsage
extendedKeyUsage = clientAuth
clientAuth tells the openssl to create certificate for the purpose of only Client Authentication.

References:

Related Post(s):

No comments:

Post a Comment