'OpenSSL extensions to CA certificate

Im using OpenSSL v1.1.1g and trying to add extensions to my self signed CA certificate using the following bat script:

rem #Create CSR
openssl req -newkey rsa:4096 -keyout ca-key.pem -out ca.csr -subj "..." -addext "keyUsage = cRLSign, digitalSignature, keyCertSign"
rem #Sign it
openssl x509 -signkey ca-key.pem -in ca.csr -req -days 365 -out ca-cert.pem -extfile extensions.cnf
pause

This is contents of extensions.cnf:

subjectAltName=DNS:localhost,IP:0.0.0.0,IP:127.0.0.1
crlDistributionPoints = URI:http://localhost:4444/crl.crl
keyUsage = cRLSign, digitalSignature, keyCertSign
basicConstraints=critical,CA:true,pathlen:0

It seems that neither -addext nor -extfile add keyusage to the cert, but crlDistributionPoints and basicConstraints work. Can someone post a solution how to add keyusage contents through similar command line commands? I do not want to edit openssl.cnf.

EDIT: Added image of CA cert CAcert



Solution 1:[1]

It seems that the reason for all this whackery was my aversion of openssl.cnf. The default config was used in background and i just had to create a minimal one by myself rather than using the default.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 LAL