Bug 475305 - certtool doesn't generate proper CA request
Summary: certtool doesn't generate proper CA request
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: gnutls
Version: 5.2
Hardware: All
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Tomas Mraz
QA Contact: BaseOS QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-12-08 20:36 UTC by Vadym Chepkov
Modified: 2008-12-09 10:50 UTC (History)
0 users

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-12-09 10:50:16 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Vadym Chepkov 2008-12-08 20:36:04 UTC 
certtool doesn't generate a proper certificate request for an CA.

$ certtool --generate-privkey > cacert.key

Here  is a template file:

$ cat ca.info
cn = Test CA
ca
cert_signing_key


If you generate a self-signed certificate it works as expected and creates proper x509 extensions:

$ certtool --generate-self-signed --load-privkey cacert.key --template ca.info --outfile cacert.pem

X.509 Extensions:
        Basic Constraints: (critical)
                CA:TRUE
        Key usage: (critical)
                Certificate signing.



But if you create a request for upstream CA to create an intermediate CA, this extensions are not requested:

$ certtool --generate-request --load-privkey cacert.key --template ca.info --outfile cacert.req

$ openssl req -in cacert.req -text -noout|grep CA:
Comment 1 Tomas Mraz 2008-12-09 10:50:16 UTC 
Unfortunately GNUTLS library is missing support for adding extensions to the certificate requests. That means also the certtool cannot support them. Please use 'openssl req' tool to create intermediate CA cert requests.

You can also report this feature request on the upstream bug tracker.

https://savannah.gnu.org/support/?group=gnutls
Note You need to log in before you can comment on or make changes to this bug.