Missing X509 extensions with an openssl-generated certificate

According to the bugs section of the x509 command documentation,

Extensions in certificates are not transferred to certificate requests and vice versa.

To work around this, I manually added the extensions to the self-signed certificate. This I did by copying the options from the [v3_req] section into a [v3_ca] section in a new file, and supplying that as an extensions file to the x509 command:

-extensions v3_ca -extfile ./ssl-extensions-x509.cnf

# ssl-extensions-x509.cnf

[v3_ca]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = IP:127.0.0.1, IP:192.168.73.120, IP:192.168.73.121

For the openssl ca command the extensions are not copied from the CSR to the certificate unless they are included in the copy_extensions list within the active configuration (https://www.openssl.org/docs/man1.0.2/apps/ca.html).

Presumably the openssl x509 -req version has similar behaviors. There are concerns called out in the WARNINGS section of that manpage about using copy_extensions=copyall which mainly apply to having a real/conforming CA. If you're using it for private purposes you can stop, consider the risks, then enable it.