How to add extended key usage string when generating a self-signed certificate using openssl

I'm using openssl on Mac OS X 10.9 to generate a self-signed certificate for Windows Server Remote Desktop Services.

Using the command below I can generate the certificate,

   openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout myserver.key -out myserver.crt

However, I need to add an extended key usage string Server Authentication (1.3.6.1.5.5.7.3.1) and I can't figure out how to do it in the command above.

I have tried using the openssl option -extfile with a file containing this,

[= default ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

However, I get an error that "-extfile option is not found"


Solution 1:

While openssl x509 uses -extfile, the command you are using, openssl req, needs -config to specify the configuration file.

So, you might use a command like this:

openssl req -x509 -config cert_config -extensions 'my server exts' -nodes \
            -days 365 -newkey rsa:4096 -keyout myserver.key -out myserver.crt

The usual prompts for the distinguished name bits are defined in the default configuration file (which is probably /System/Library/OpenSSL/openssl.cnf on OS X), but this file is not processed when you use -config, so your configuration file must also include some DN bits. Thus, the above-referenced cert_config might look something like this:

[ req ]
prompt             = no
distinguished_name = my dn

[ my dn ]
# The bare minimum is probably a commonName
            commonName = secure.example.com
           countryName = XX
          localityName = Fun Land
      organizationName = MyCo LLC LTD INC (d.b.a. OurCo)
organizationalUnitName = SSL Dept.
   stateOrProvinceName = YY
          emailAddress = [email protected]
                  name = John Doe
               surname = Doe
             givenName = John
              initials = JXD
           dnQualifier = some

[ my server exts ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
# 1.3.6.1.5.5.7.3.1 can also be spelled serverAuth:
# extendedKeyUsage = serverAuth

# see x509v3_config for other extensions

As indicated in the comment, you can probably leave out most of the DN fields. For HTTPS usage, I think all you need is a CN that matches your hostname.


The Distinguished Name and Attribute Section Format section of req(1) shows how you could modify the above configuration to prompt for values (and provide default values) if you wanted to generate multiple similar certificates/requests.

If you need other certificate extensions, check x509v3_config(5) for what other bits you can specify in extension sections.

Solution 2:

With newer OpenSSL versions this all can be done on a single command line without the need to create a configuration file. The option -addext was also added to the req command For a full list of possible values for the extended key usage take a look into the config manual.

A full example:

openssl req -x509 -nodes -newkey rsa:2048 -keyout key.pem -out server.pem -days 7300 -subj '/CN=My Name/C=US/OU=My Unit/O=ACME' -addext "keyUsage = digitalSignature, keyEncipherment, dataEncipherment, cRLSign, keyCertSign" -addext "extendedKeyUsage = serverAuth, clientAuth"