Adding custom X.509 extensions to certificate signing requests

Document ID : KB000042912
Last Modified Date : 25/09/2018
Show Technical Document Details
Introduction:
CA API Gateway has minimum functions as Certificate Authority for convenience but the OpenSSL suite allows us to have more control on certificates. This article will describe how to generate a certificate signing request that appends custom X.509 extensions to a CSR.
Background:
Certificate signing requests for X.509 certificates typically contain standard certificate extensions that specify critical key usage statements and intended deployments of a certificate. Additionally, customized extensions can be provided for client applications to use as they see fit. The Gateway does not currently support the creation of custom X.509 extensions through the Layer 7 Policy Manager. An enhancement request was previously filed under development incident identifier FR-478 to encompass this functionality. In the interim, the OpenSSL suite can provide the necessary tools to add custom X.509 extensions to CSRs.
Environment:
CA API Management Gateway
Instructions:

OpenSSL Configuration

Specific customization of the OpenSSL configuration file must occur for these changes to take effect. A sample OpenSSL configuration is provided below that meets the specific need.
[ req ]
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no

[ req_distinguished_name ]
CN = sf23607

[ req_attributes ]

[ cert_ext ]
subjectKeyIdentifier=hash
keyUsage=critical,digitalSignature,keyEncipherment
extendedKeyUsage=clientAuth,serverAuth

Procedure

Once the required OpenSSL configuration has been completed, a new CSR must be generated and the request signed. The example below generates a self-signed certificate from a new private key (server.key). If a key exists or the CSR is to be provided to a CA for signing then skip the applicable steps.

openssl genrsa -out server.key 512
openssl req -config ./openssl.cnf -new -key server.key -nodes -out server.csr

openssl x509 -extfile ./openssl.cnf -extensions cert_ext -req -signkey server.key -in server.csr -out server.pem