Red Hat Bugzilla – Bug 475305
certtool doesn't generate proper CA request
Last modified: 2008-12-09 05:50:16 EST
certtool doesn't generate a proper certificate request for an CA.
$ certtool --generate-privkey > cacert.key
Here is a template file:
$ cat ca.info
cn = Test CA
If you generate a self-signed certificate it works as expected and creates proper x509 extensions:
$ certtool --generate-self-signed --load-privkey cacert.key --template ca.info --outfile cacert.pem
Basic Constraints: (critical)
Key usage: (critical)
But if you create a request for upstream CA to create an intermediate CA, this extensions are not requested:
$ certtool --generate-request --load-privkey cacert.key --template ca.info --outfile cacert.req
$ openssl req -in cacert.req -text -noout|grep CA:
Unfortunately GNUTLS library is missing support for adding extensions to the certificate requests. That means also the certtool cannot support them. Please use 'openssl req' tool to create intermediate CA cert requests.
You can also report this feature request on the upstream bug tracker.