Adding custom X.509 extensions to certificate signing requests

Document ID : KB000042912
Last Modified Date : 25/09/2018
Show Technical Document Details
CA API Gateway has minimum functions as Certificate Authority for convenience but the OpenSSL suite allows us to have more control on certificates. This article will describe how to generate a certificate signing request that appends custom X.509 extensions to a CSR.
Certificate signing requests for X.509 certificates typically contain standard certificate extensions that specify critical key usage statements and intended deployments of a certificate. Additionally, customized extensions can be provided for client applications to use as they see fit. The Gateway does not currently support the creation of custom X.509 extensions through the Layer 7 Policy Manager. An enhancement request was previously filed under development incident identifier FR-478 to encompass this functionality. In the interim, the OpenSSL suite can provide the necessary tools to add custom X.509 extensions to CSRs.
CA API Management Gateway

OpenSSL Configuration

Specific customization of the OpenSSL configuration file must occur for these changes to take effect. A sample OpenSSL configuration is provided below that meets the specific need.
[ req ]
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no

[ req_distinguished_name ]
CN = sf23607

[ req_attributes ]

[ cert_ext ]


Once the required OpenSSL configuration has been completed, a new CSR must be generated and the request signed. The example below generates a self-signed certificate from a new private key (server.key). If a key exists or the CSR is to be provided to a CA for signing then skip the applicable steps.

openssl genrsa -out server.key 512
openssl req -config ./openssl.cnf -new -key server.key -nodes -out server.csr

openssl x509 -extfile ./openssl.cnf -extensions cert_ext -req -signkey server.key -in server.csr -out server.pem