Reputation: 10236
Adding Additional Extensions Directly to X.509
Is it possible for the CA to intervene and add extensions to an X.509 that aren't in the CSR? For example, a company runs an internal CA, and it augments certificates with additional extensions (required for operation, therefore critical). It's a lot smoother to do this directly than expect the client to add them to the CSR themselves. The latter would probably require a tool that presents a form and then injects the extensions, rather than being able to allow the client to just invoke OpenSSL from the command-line.
This is being posted to SO because I'm an engineer doing security-related work, and am seeking the insights of those doing similar work.
Upvotes: 2
Views: 1264
Answers (2)
Reputation: 46050
Actually, CAs construct the certificate using some information of the CSR rather than just sign the CSR. CAs add extensions always -- at least KeyUsage and ExtKeyUsage are set by the CA, then CRL and OCSP responder locations are also specified via extensions and are set by the CA. There can be more extensions set as well.
Upvotes: 2
Reputation: 102246
Is it possible for the CA to intervene and add extensions to an X.509 that aren't in the CSR
Yes. For example, Startcom will add a Description, add an Email Address, and add a Common Name. So the subject's DN displayed will be similar to:
$ openssl x509 -in www-example-com.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 903612
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA
Validity
Not Before: Jan 30 08:54:48 2014 GMT
Not After : Jan 31 12:51:02 2015 GMT
Subject: description=v91xHxCGaTrqOAm, C=US, CN=www.example.com/[email protected]
Subject Public Key Info:
...
In my case, I did not specify a Description or Common Name (the Common Name is deprecated, and should not be used). I only specified two DNS Subject Alt Names (and other subject info).
A CA will also likely drop some fields, and modify or overwrite fields that you have already supplied.
A CSR is a lot like a wikipedia contribution. Don't submit it if you don't want it mercilessly edited.
This is being posted to SO because I'm an engineer doing security-related work...
Its still probably off-topic :o
Upvotes: 1
Related Questions
- How can I custom extensions in x.509 cert?
- Modifying extension list in X509 certificate using OpenSSL in C
- OpenSSL extensions to CA certificate
- adding certificate policies extension in CSR
- create x509v3 certificate with custom extension CSR issue
- OpenSSL x509 Certificate: Add Extension with X509_add1_ext_i2d()
- how to load .cer to x509 with openssl
- How to generate certificate request including generic (arbitrary) extension using OpenSSL?
- How do you add a subjectNameAlt extension to X509_REQ?
- Extracting a custom extension from a X.509 certificate by OID with OpenSSL