I got past the error to build the CSR by using:
crlDistributionPoints = $ENV::crlDP
authorityInfoAccess = $ENV::ocspIAI
Just $crlDP failed even though I had this defined in the [ca} section.
The CSR does not use the user_cert or server_cert. This was 'just' a
config file syntax issue. When I try to make the cert I get the following:
crlDP=URI:http://www.htt-consult.com/pki/intermediate.crl.pem
default_crl_days=30
ocspIAI="OCSP;URI:http://ocsp.htt-consult.com";
openssl ca -config $dir/openssl-intermediate.cnf -days 375\
-extensions server_cert -notext -md sha256 \
-in $dir/csr/$serverfqdn.csr.$format\
-out $dir/certs/$serverfqdn.cert.$format
It works. But if I DON'T want a CRL or OCSP support and I use:
crlDP=
ocspIAI=
with the same command I get:
Error Loading extension section server_cert
3069510608:error:0E06D06C:configuration file
routines:NCONF_get_string:no
value:crypto/conf/conf_lib.c:275:group=CA_default name=email_in_dn
3069510608:error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid
null name:crypto/x509v3/v3_utl.c:316:
3069510608:error:22097069:X509 V3 routines:do_ext_nconf:invalid
extension
string:crypto/x509v3/v3_conf.c:93:name=crlDistributionPoints,section=
3069510608:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in
extension:crypto/x509v3/v3_conf.c:47:name=crlDistributionPoints, value=
So I need a way to have a 'null' value for NO CRL or NO OCSP.
I don't want to have to use SED to edit the config file based on what
the goal is...
thanks
Bob
On 09/06/2017 12:23 PM, Robert Moskowitz wrote:
I am trying to use an environment variable to add a whole line to the
config file. This is to control adding (or not providing) CRL and/or
OCSP support.
export shows:
declare -x crlDP="crlDistributionPoints =
URI:http://www.htt-consult.com/pki/intermediate.crl.pem";
declare -x default_crl_days="default_crl_days = 30"
declare -x ocspIAI="authorityInfoAccess =
OCSP;URI:http://ocsp.htt-consult.com";
The config file starts with:
[ ca ]
# `man ca`
default_ca = CA_default
[ CA_default ]
# Directory and file locations.
dir= $ENV::dir
cadir = $ENV::cadir
format= $ENV::format
crlDP = $ENV::crlDP
default_crl_days = $ENV::default_crl_days
ocspIAI = $ENV::ocspIAI
The usr_cert section has:
[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical,nonRepudiation,digitalSignature,keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
$crlDP
$ocspIAI
Note that the line with "$crlDP" is line 123
When I run the command:
openssl req -config $dir/openssl-intermediate.cnf -key
$dir/private/$serverfqdn.key.$format -subj "$DN" -new -sha256
-out $dir/csr/$serverfqdn.csr.$format
I get the error:
req: Error on line 123 of config file
"/home/rgm/ca/intermediate/openssl-intermediate.cnf"
unable to find 'distinguished_name' in config
problems making Certificate Request
3070145488:error:0E06D06A:configuration file
routines:NCONF_get_string:no conf or environment
variable:crypto/conf/conf_lib.c:272:
note that if I:
grep -n distinguished_name openssl-intermediate.cnf
68:distinguished_name = req_distinguished_name
78:[ req_distinguished_name ]
So the warning about unable to find 'distinguished_name' in config
Is misleading. The problem is more likely with line 123 which is only
the env variable.
I can play around with this and hopefully the variables to work as
crlDistributionPoints = $crlDP
And if $crlDP is empty, it will not put an empty value into the cert.
But why does what I have not work?
thanks
Bob
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
