The creation of a certificate has a request phase and a signing phase. Both phases need to refer to an SSL configuration
file which will include the required extensions. The supported extensions are documented at man x509v3_config
.
The system-wide openssl configuration usually lies at /etc/ssl/openssl.cnf
. Suppose we need to request some X509 extensions (like keyUsage
, extendedKeyUsage
and subjectAltName
), so we need to add/override some parts and we create a configuration fragment in request.conf
: