Not getting version 3 when creating a csr file with openssl
I'm beeing asked to create a csr (certificate signing request) in order to then send this to an entity that will create the certificate.
My problem is, I'm able to create the private key, and the csr, but I have to create it with version 3. I've not figured out if it's possible because it's like however I try, I just can get the version 3 just if I create myself a certificate. But not with the certificate request.
This is how I generate the private key:
openssl ecparam -genkey -name prime256v1 -out private.pem
My configuration file (x509Version3.cnf) is like that:
[ req ]
prompt = no
encrypt_key = no
default_bits = 2048
distinguished_name = req_distinguished_name
x509_extensions = v3_req
[ req_distinguished_name ]
commonName = 434C800000012A
[ v3_req ]
keyUsage = critical, digitalSignature
# keyUsage = critical,keyAgreement
basicConstraints = CA:FALSE
Then in order to get the certificate request I'm using:
openssl req -new -key private.pem -out certificateRequest.pem -config x509Version3.cnf -reqexts v3_req
And this generates a certificate request but when I check it's content with for example this web, I get:
But if I create the certificate by it self, with the command:
openssl req -x509 -new -key private.pem -out certificate.pem -days 365 -config x509Version3.cnf -extensions v3_req
I'm getting the one I'm expecting:
What I'm doing wrong? I've been checking the params for openssl certificate request, and they all seem correct and doing as expected.
Is it possible to have version 3 in a certificate request? Or just once it's a certificate created?
Thank you very much!
Currently, only one version for PKCS#10 CSR is defined, it is version 1 (encoded as 0). What you see in CSR dump is correct, by design and expected.
Signed certificate is a very different object (not PKCS#10) and it has three versions: v1 (very old that supports only mandatory fields, no extensions allowed), v2 (seldom ever used) and v3, current X.509 certificate format that supports certificate extensions.
That is, you generate V1 request and after signing, receive V3 X.509 certificate.
- How to fix SSL issue SSL_CTX_use_certificate : ca md too weak on Python Zeep
- MongoDB and Compass won't TLS with Custom CA certs made with OpenSSL
- Creating .p12 truststore with openssl
- Verifying a signature with OpenSSL
- How to get cipher text as result of encryption using aes cbc 128 bit with open ssl in c language
- Prisma openssl version issue
- Can OpenSSL on Windows use the system certificate store?
- Compass won't connect to MongoDB over TLS using OpenSSL certificates
- signature generated using openssl C++ API does not match with same code in python
- nginx SSL no start line: expecting: TRUSTED CERTIFICATE
- PowerPC for 440fp CPU openssl support
- OpenSSL SSL_connect: Connection was reset in connection to github.com:443 while try to git push
- SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
- OpenSSL: explicitly set start/end date using `openssl req`?
- How to convert a PEM PKCS#8 public key into DER/Raw-Binary
- Ubuntu24.04 SSL handshake failed when use self-signed cert
- Finding the encryption key manually using openssl library
- Program Fails to Run After Adding OpenSSL Code (SSL_library_init)
- Trouble Installing Specific Version of Ruby (OpenSSL Issue)
- How do I get Visual Studio Code to trust our self-signed proxy certificate?
- Building boringSSL x64 on Windows
- Python ssl SSLV3_ALERT_HANDSHAKE_FAILURE error with aws.amazon.com
- How to install OpenSSL in windows 10?
- How to enable FIPS mode for libcrypto and libssl packaged with Python?
- OpenSSL FIPS_mode_set not working in Python cryptography library
- RHEL8: FIPS Object Module (fipscanister) existing?
- Converting PKCS#12 certificate into PEM using OpenSSL
- What is the correct way to free output buffer after call to openssl::i2d_X509?
- Unknown binaryTarget debian-openssl-3.0.x and no custom binaries were provided error Command failed with exit code 1
- Updating OpenSSL to 1.1.1 on MacOS