Hi Thomas,

Could you share the relevant piece of the code and perhaps the raw CSR data it generates?

From what you write, it looks like you have called `mbedtls_x509write_csr_set_extension()` with

OID `MBEDTLS_OID_SERVER_AUTH`, which isn't quite right: `mbedtls_x509write_csr_set_extension()` registers a single extension, and the TLS Web Server Authentication usage is one usage constraint within the ExtendedKeyUsage extension. I'd therefore expect that you have to call `mbedtls_x509write_csr_set_extension()` with `MBEDTLS_OID_EXTENDED_KEY_USAGE` passing it the raw ASN.1 content of the ExtendedKeyUsage extension, part of which is `MBEDTLS_OID_SERVER_AUTH`. To my knowledge, there is currently no API within Mbed TLS which helps you writing this ASN.1 content from a list of usage constraints, so you will need to build it manually. If you have trouble with that, let us know. Alternatively, you might copy it from any certificate you know which has the desired ExtendedKeyUsage.

Apologies for this inconvenience, I do think it would be beneficial to have some helper function for writing such an important extension as ExtendedKeyUsage which doens't force users to hand-craft ASN.1.

Best, Hanno ________________________________ From: mbed-tls mbed-tls-bounces@lists.trustedfirmware.org on behalf of Thomas Volgmann via mbed-tls mbed-tls@lists.trustedfirmware.org Sent: Friday, April 3, 2020 9:01 AM To: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org Subject: [mbed-tls] How to generate a certificate request with X.509 OID MBEDTLS_OID_SERVER_AUTH

Hello,

I have a problem generating the following content in an certificate request :

Requested Extensions:

X509v3 Extended Key Usage:

TLS Web Server Authentication

X509v3 Basic Constraints:

CA:FALSE

The only thing I could produce was :

Requested Extensions:

X509v3 Key Usage:

Digital Signature

X509v3 Extended Key Usage:

TLS Web Server Authentication:

Can anybody help me with the function :

mbedtls_x509write_csr_set_extension

Mit freundlichen Grüßen

Thomas Volgmann

---------------------------------------

DSA-Volgmann

Redcarstr. 20

53842 Troisdorf

Tel: 02241 23416 11

Fax: 02241 23416 61

email : thomas.volgmann@dsa-volgmann.demailto:thomas.volgmann@dsa-volgmann.de

web: www.dsa-volgmann.dehttp://www.dsa-volgmann.de/

---------------------------------------

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.