ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Adding custom X.509 extensions to certificate signing requests

book

Article ID: 42912

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security CA API Gateway

Issue/Introduction

CA API Gateway has minimum functions as Certificate Authority for convenience but the OpenSSL suite allows us to have more control on certificates. This article will describe how to generate a certificate signing request that appends custom X.509 extensions to a CSR.

Certificate signing requests for X.509 certificates typically contain standard certificate extensions that specify critical key usage statements and intended deployments of a certificate. Additionally, customized extensions can be provided for client applications to use as they see fit. The Gateway does not currently support the creation of custom X.509 extensions through the Layer 7 Policy Manager. An enhancement request was previously filed under development incident identifier FR-478 to encompass this functionality. In the interim, the OpenSSL suite can provide the necessary tools to add custom X.509 extensions to CSRs.

Environment

CA API Management Gateway

Resolution

OpenSSL Configuration

Specific customization of the OpenSSL configuration file must occur for these changes to take effect. A sample OpenSSL configuration is provided below that meets the specific need.
[ req ]
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no

[ req_distinguished_name ]
CN = sf23607

[ req_attributes ]

[ cert_ext ]
subjectKeyIdentifier=hash
keyUsage=critical,digitalSignature,keyEncipherment
extendedKeyUsage=clientAuth,serverAuth

Procedure

Once the required OpenSSL configuration has been completed, a new CSR must be generated and the request signed. The example below generates a self-signed certificate from a new private key (server.key). If a key exists or the CSR is to be provided to a CA for signing then skip the applicable steps.

openssl genrsa -out server.key 512
openssl req -config ./openssl.cnf -new -key server.key -nodes -out server.csr

openssl x509 -extfile ./openssl.cnf -extensions cert_ext -req -signkey server.key -in server.csr -out server.pem