Document link:

https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/securing_networks/creating-and-managing-tls-keys-and-certificates_securing-networks#creating-a-private-ca-using-openssl_creating-and-managing-tls-keys-and-certificates

Section number and name:

2.3. Creating a private key and a CSR for a TLS server certificate using OpenSSL

2.5. Using a private CA to issue certificates for CSRs with OpenSSL

Describe the issue:

the extensions which we added in our CSR were not transferred by default to the certificate. So these extensions must be added to the certificate explicitly.

Impact of this issue:

If following the steps in the document, after executing 2.3 and 2.5, the result of executing "openssl x509 -text -noout -in <server-cert.crt>" is different from the one given at the end of 2.3, without "X509v3 Subject Alternative Name:"

Suggestions for improvement:

Add the remaining part of [erver-cert] in the <example_server.cnf> given in 2.3 to the <openssl.cnf> instance given in 2.5, so that the content in [server-cert] remains consistent

example：

$ vim <openssl.cnf>

[server-cert]

keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement

extendedKeyUsage = serverAuth

subjectAltName = @alt_name

[client-cert]

... ...