What is the difference between req_extensions in config and -extensions on command line?
The sample openssl root ca config from the OpenSSL Cookbook defines the following (p40):
[req]
...
req_extensions = ca_ext
[ca_ext]
...
Later (p43), the root ca key is generated, then the root ca selfsigned cert.
openssl req -new \
-config root-ca.conf \
-out root-ca.csr \
-keyout private/root-ca.key
openssl ca -selfsign \
-config root-ca.conf \
-in root-ca.csr \
-out root-ca.crt \
-extensions ca_ext
Isn't req_extensions redundant in this specific use case? When is req_extension really needed?
Answer
req_extensions is used for declaring request extensions to be included in PKCS #10 certificate signing request (CSR) objects. The extensions are part of the signed data in the CSR.
In general, a CA, when creating and signing a X.509 certificate in response to a CSR, and depending on the certificate profile, may or may not heed particular request extensions. You will need to use this to generate a CSR for use with a CA that expects particular information to be conveyed in this way.
OpenSSL itself does not copy any extensions from PKCS #10 requests to X.509 certificates; all extensions for certificates must be explicitly declared. The OpenSSL x509 man page provides some commentary:
Extensions in certificates are not transferred to certificate requests and vice versa.
Because you are using the OpenSSL CA, the use of req_extensions is indeed redundant.