Bug 475305 - certtool doesn't generate proper CA request
certtool doesn't generate proper CA request
Status: CLOSED UPSTREAM
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: gnutls (Show other bugs)
5.2
All Linux
low Severity low
: rc
: ---
Assigned To: Tomas Mraz
BaseOS QE
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-08 15:36 EST by Vadym Chepkov
Modified: 2008-12-09 05:50 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-12-09 05:50:16 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vadym Chepkov 2008-12-08 15:36:04 EST
certtool doesn't generate a proper certificate request for an CA.

$ certtool --generate-privkey > cacert.key

Here  is a template file:

$ cat ca.info
cn = Test CA
ca
cert_signing_key


If you generate a self-signed certificate it works as expected and creates proper x509 extensions:

$ certtool --generate-self-signed --load-privkey cacert.key --template ca.info --outfile cacert.pem

X.509 Extensions:
        Basic Constraints: (critical)
                CA:TRUE
        Key usage: (critical)
                Certificate signing.



But if you create a request for upstream CA to create an intermediate CA, this extensions are not requested:

$ certtool --generate-request --load-privkey cacert.key --template ca.info --outfile cacert.req

$ openssl req -in cacert.req -text -noout|grep CA:
Comment 1 Tomas Mraz 2008-12-09 05:50:16 EST
Unfortunately GNUTLS library is missing support for adding extensions to the certificate requests. That means also the certtool cannot support them. Please use 'openssl req' tool to create intermediate CA cert requests.

You can also report this feature request on the upstream bug tracker.

https://savannah.gnu.org/support/?group=gnutls

Note You need to log in before you can comment on or make changes to this bug.