Is there a reason for not copying certificate signing request's (CSR) extensions over to certificate when creating a root CA the following way?
openssl req -config openssl.cnf -new -key ca.key.pem -out ca.csr.pem -addext 'basicConstraints=critical,CA:true' -addext 'keyUsage=critical,keyCertSign'
openssl x509 -req -in ca.csr.pem -signkey ca.key.pem -out ca.crt.pem
I'm aware that the single command openssl req -x509 ...
does copy extensions, just wondering why using the two commands above doesn't.
Initial question:
Related question: Missing X509 extensions with an openssl-generated certificate
I know other methods exist (i.e the openssl req -x509 ...
), but specifically for using two separate commands
openssl req -config openssl.cnf -new -key ca.key.pem -out ca.csr.pem -addext 'basicConstraints=critical,CA:true' -addext 'keyUsage=critical,keyCertSign'
openssl x509 -req -in ca.csr.pem -signkey ca.key.pem -out ca.crt.pem
to create a CA. Is there really no way to preserve the extensions from the CSR?