break;
case OPT_COPY_EXTENSIONS:
if (!set_ext_copy(&ext_copy, opt_arg())) {
- BIO_printf(bio_err, "Invalid extension copy option: \"%s\"\n", opt_arg());
+ BIO_printf(bio_err, "Invalid extension copy option: \"%s\"\n",
+ opt_arg());
goto end;
}
break;
goto end;
if (!pub_key || !X509_set_pubkey(new_x509, pub_key))
goto end;
- if (ext_copy == EXT_COPY_UNSET)
+ if (ext_copy == EXT_COPY_UNSET) {
BIO_printf(bio_err, "Warning: No -copy_extensions given; ignoring any extensions in the request\n");
- else if (!copy_extensions(new_x509, req, ext_copy)) {
+ } else if (!copy_extensions(new_x509, req, ext_copy)) {
BIO_printf(bio_err, "Error copying extensions from request\n");
goto end;
}
- /* TODO: (optionally) copy X.509 extensions from req */
/* Set up V3 context struct */
X509V3_set_ctx(&ext_ctx, CAcert != NULL ? CAcert : new_x509,
}
}
- /* tentatively set X.509 version 1 */
- if (!X509_REQ_set_version(req, 0L))
+ if (!X509_REQ_set_version(req, 0L)) /* so far there is only version 1 */
goto err;
if (fsubj != NULL)
Unless the B<-copy_extensions> option is used,
X.509 extensions are not copied from any provided request input file.
+
X.509 extensions to be added can be specified in the configuration file
or using the B<-addext> option.
=item B<-set_serial> I<n>
-Serial number to use when outputting a self-signed certificate. This
-may be specified as a decimal value or a hex value if preceded by C<0x>.
+Serial number to use when outputting a self-signed certificate.
+This may be specified as a decimal value or a hex value if preceded by C<0x>.
+If not given, a large random number will be used.
=item B<-copy_extensions> I<arg>
-Determines how extensions in certificate requests should be handled when B<-x509> is given.
-If I<arg> is B<none> or this option is not present
-then extensions present in the request are ignored.
+Determines how X.509 extensions in certificate requests should be handled
+when B<-x509> is given.
+If I<arg> is B<none> or this option is not present then extensions are ignored.
If I<arg> is B<copy> or B<copyall> then
-any extensions present in the request are copied to the certificate.
+all extensions in the request are copied to the certificate.
The main use of this option is to allow a certificate request to supply
values for certain extensions such as subjectAltName.