-CAkey private/ca.key -next_serial -in certs/<name>.csr -out certs/<name>.crt
```
-Other output formats are also possible [4].
+Other output formats are also possible [4]. If generting an email certificate,
+add an extensions [5].
+
+```
+$ openssl req -config ca.cnf -new -key certs/private/<name>.key \
+ -out certs/<name>.csr -extensions email_cert
+$ openssl x509 -req -days 365 -sha256 -CA ca.pem -CAkey private/ca.key \
+ -next_serial -in certs/<name>.csr -out certs/<name>.crt \
+ -extensions email_cert
+```
Import
------
-Transform the certificate and the private key [5]. Upload the result to the
-browser [6].
+Transform the certificate and the private key [6]. Upload the result to the
+browser [7].
```
$ openssl pkcs12 -export -inkey <name>.key -in <name>.crt -out <name>.p12
[2] https://stackoverflow.com/a/41366949
[3] https://gist.github.com/croxton/ebfb5f3ac143cd86542788f972434c96
[4] https://gist.github.com/alexishida/607cca2e51ec356b1fe1909047ec70fd
-[5] https://superuser.com/a/1628622
-[6] https://superuser.com/a/1577753
+[5] https://unix.stackexchange.com/a/348488
+[6] https://superuser.com/a/1628622
+[7] https://superuser.com/a/1577753
# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping
+[ email_cert ]
+
+basicConstraints=CA:FALSE
+
+nsComment = "OpenSSL Generated Certificate"
+nsCertType = client, email
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
[ v3_req ]
# Extensions to add to a certificate request
projects / server.git / commitdiff