Can't create a Version 1 end entity X.509 certificate
tomato42 opened this issue · comments
With openssl 3.0.7 it was possible to create a X.509 Version 1 certificate.
With openssl 3.2.1 using openssl ca
tool, when no -extensions
option is specified or it points to an empty section, a version 3 certificate with X509v3 Subject Key Identifier
and X509v3 Authority Key Identifier
extensions is created.
When -extensions
points to a section with:
subjectKeyIdentifier=none
authorityKeyIdentifier=none
then the certificate has no extensions but is still marked as version 3 x509 certificate. I see no other way to control certificate version when using the openssl ca
tool.
I am aware of the openssl req -x509v1
option, but a). it creates self-signed version 1 certificates (so entirely unrealistic for a testing scenario given that v1 certs were always intended to be usable for end entities only), and it actually doesn't work, it produces a malformed version 3 certificate, where the extensions that are like this:
X509v3 extensions:
X509v3 Subject Key Identifier:
X509v3 Authority Key Identifier:
0.
X509v3 Basic Constraints: critical
CA:TRUE
(this is using the openssl req -x509v1 -newkey rsa:2048 -keyout root.key -out root.crt -subj /CN=localhost -batch -nodes -days 36500 -sha256
command)
From reading the documentation, it appears that openssl ca intentionally creates Version 3 CA certificates, implying that the creation of older certificates was not meant to be supported.
Checking the req app, that does seem to be a bug, in that the creation of of a x509v1 certificate still includes v3 extenstions.