Im trying to implement this in C:
openssl req -new -config client.config -key ./my-key.pem -out certreq.csr
client.config has this
...
[ req_attributes ]
challengePassword = password
...
so far so good but I dont know how to load the client.config file in the program.
I tried this
OSSL_LIB_CTX *ctx = OSSL_LIB_CTX_new();
OSSL_LIB_CTX_load_config(ctx,"./client.config")
p_x509_req = X509_REQ_new_ex(ctx,NULL)
but in the generated csr the part Attributes shows
(none)
using the openssl command line the Attributes are correctly set to
challengePassword :password
It maybe I dont correctly understand what the ctx here is and if Im using the right context..
Im trying to implement this in C:
openssl req -new -config client.config -key ./my-key.pem -out certreq.csr
client.config has this
...
[ req_attributes ]
challengePassword = password
...
so far so good but I dont know how to load the client.config file in the program.
I tried this
OSSL_LIB_CTX *ctx = OSSL_LIB_CTX_new();
OSSL_LIB_CTX_load_config(ctx,"./client.config")
p_x509_req = X509_REQ_new_ex(ctx,NULL)
but in the generated csr the part Attributes shows
(none)
using the openssl command line the Attributes are correctly set to
challengePassword :password
It maybe I dont correctly understand what the ctx here is and if Im using the right context..
Share Improve this question asked Mar 17 at 14:53 Matteo PrinettiMatteo Prinetti 513 bronze badges 02 Answers
Reset to default 3The config file data read here is specific to the OpenSSL "req" application. You don't automatically get it just by using the X509_REQ APIs. You can recreate the same effect by doing it the something like the way that the req application does it.
For example here is how req applies attributes from a config file onto an X509_REQ object (having first read the attribute data from the config file into a stack of CONF_VALUE objects):
https://github/openssl/openssl/blob/4a1a7fe5ce088964010779e1f5a90560903ecc76/apps/req.c#L1333-L1340
for (i = 0; i < sk_CONF_VALUE_num(attr_sk); i++) {
v = sk_CONF_VALUE_value(attr_sk, i);
if (!X509_REQ_add1_attr_by_txt(req, v->name, chtype,
(unsigned char *)v->value, -1))
return 0;
}
If the final goal is just to create CSR inside your application,
then one option is to use X509_REQ_new(), X509_REQ_set_xxx() and X509_REQ_get_xxx() functions.
For example:
X509_REQ *req = X509_REQ_new();
if (req)
{
X509_NAME *subject = X509_REQ_get_subject_name(req);
if (subject)
{
// Populate subject
....
}
if (X509_REQ_set_pubkey(req, key))
....
if (X509_REQ_sign(req, key, EVP_sha256()))
....
This way you can avoid creating the client.config file.
It also provides precise error handling, because you must check return status after every step.