Hi Thomas,

Could you share the relevant piece of the code and perhaps the raw CSR data it generates?

>From what you write, it looks like you have called `mbedtls_x509write_csr_set_extension()` with 
OID `MBEDTLS_OID_SERVER_AUTH`, which isn't quite right: `mbedtls_x509write_csr_set_extension()`
registers a single extension, and the TLS Web Server Authentication usage is one usage constraint
within the ExtendedKeyUsage extension. I'd therefore expect that you have to call 
`mbedtls_x509write_csr_set_extension()` with `MBEDTLS_OID_EXTENDED_KEY_USAGE`
passing it the raw ASN.1 content of the ExtendedKeyUsage extension, part of which is
`MBEDTLS_OID_SERVER_AUTH`
To my  knowledge, there is currently no API within Mbed TLS which helps you writing this 
ASN.1 content from a list of usage constraints, so you will need to build it manually. If you have 
trouble with that, let us know. Alternatively, you might copy it from any certificate you know 
which has the desired ExtendedKeyUsage.

Apologies for this inconvenience, I do think it would be beneficial to have some helper
function for writing such an important extension as ExtendedKeyUsage which doens't
force users to hand-craft ASN.1. 

Best,
Hanno
From: mbed-tls <mbed-tls-bounces@lists.trustedfirmware.org> on behalf of Thomas Volgmann via mbed-tls <mbed-tls@lists.trustedfirmware.org>
Sent: Friday, April 3, 2020 9:01 AM
To: mbed-tls@lists.trustedfirmware.org <mbed-tls@lists.trustedfirmware.org>
Subject: [mbed-tls] How to generate a certificate request with X.509 OID MBEDTLS_OID_SERVER_AUTH
 

Hello,

I have a problem generating the following content in an certificate request :

 

Requested Extensions:

           X509v3 Extended Key Usage:

               TLS Web Server Authentication

           X509v3 Basic Constraints:

               CA:FALSE

 

The only thing I could produce was :

 

       Requested Extensions:

            X509v3 Key Usage:

                Digital Signature

            X509v3 Extended Key Usage:

 

            TLS Web Server Authentication:

 

Can anybody help me with the function :

 

mbedtls_x509write_csr_set_extension

 

 

 

Mit freundlichen Grüßen

Thomas Volgmann

---------------------------------------

DSA-Volgmann

Redcarstr. 20

53842 Troisdorf

Tel:    02241 23416 11

Fax:    02241 23416 61

email : thomas.volgmann@dsa-volgmann.de

web:    www.dsa-volgmann.de

---------------------------------------

 

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.