On Jul 27, 2018, at 1:20 PM, Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> wrote: > > On 07/27/2018 01:14 PM, Viktor Dukhovni wrote: >> >>> On Jul 27, 2018, at 1:07 PM, Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> wrote: >>> >>> Error Loading extension section server_cert >>> 3065065488:error:0E06D06C:configuration file routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:275:group=CA_default name=email_in_dn >>> 3065065488:error:0E06D06C:configuration file routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:275:group=CA_default name=rand_serial >>> 3065065488:error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid null name:crypto/x509v3/v3_utl.c:360: >>> 3065065488:error:22097069:X509 V3 routines:do_ext_nconf:invalid extension string:crypto/x509v3/v3_conf.c:93:name=crlDistributionPoints,section= >>> 3065065488:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:crypto/x509v3/v3_conf.c:47:name=crlDistributionPoints, value= >>> >>> Please help me with these latest errors. >> Start with a less exotic ".cnf" file. These are all configuration errors, >> unrelated to ed25519. Get a working RSA config file, and then switch >> algorithms. >> > I am using a working ecdsa config file It is a good idea to read that file and match the error messages to the file content. You'll quickly find a bunch of $ENV:: settings that must yield non-empty results, but you (surely) don't have those environment variables set... There are perhaps other issues. > (the one in my draft-moskowitz-ecdsa-pki): > > # OpenSSL intermediate CA configuration file. > # Copy to `$dir/intermediate/openssl-intermediate.cnf`. > > [ ca ] > # `man ca` > default_ca = CA_default > > [ CA_default ] > # Directory and file locations. > dir= $ENV::dir > cadir = $ENV::cadir > format= $ENV::format > > certs = $dir/certs > crl_dir = $dir/crl > new_certs_dir = $dir/newcerts > database = $dir/index.txt > serial= $dir/serial > RANDFILE = $dir/private/.rand > > # The Intermediate key and Intermediate certificate. > private_key = $dir/private/intermediate.key.$format > certificate = $dir/certs/intermediate.cert.$format > > # For certificate revocation lists. > crlnumber= $dir/crlnumber > crl= $dir/crl/intermediate.crl.pem > crl_extensions = crl_ext > default_crl_days = $ENV::default_crl_days > > # SHA-1 is deprecated, so use SHA-2 instead. > # default_md = sha256 > > name_opt = ca_default > cert_opt = ca_default > default_days= 375 > preserve = no > policy= policy_loose > copy_extensions= copy > > [ policy_strict ] > # The root CA should only sign intermediate certificates that match. > # See the POLICY FORMAT section of `man ca`. > countryName = match > stateOrProvinceName = match > organizationName = match > organizationalUnitName = optional > commonName = optional > > [ policy_loose ] > # Allow the intermediate CA to sign a more > # diverse range of certificates. > # See the POLICY FORMAT section of the `ca` man page. > countryName = optional > stateOrProvinceName = optional > localityName= optional > organizationName = optional > organizationalUnitName = optional > commonName = optional > UID= optional > > [ req ] > # Options for the `req` tool (`man req`). > default_bits = 2048 > distinguished_name = req_distinguished_name > string_mask= utf8only > req_extensions= req_ext > > # SHA-1 is deprecated, so use SHA-2 instead. > # default_md = sha256 > > # Extension to add when the -x509 option is used. > x509_extensions = v3_ca > > [ req_distinguished_name ] > # See <https://en.wikipedia.org/wiki/Certificate_signing_request>. > countryName= Country Name (2 letter code) > stateOrProvinceName = State or Province Name > localityName = Locality Name > 0.organizationName = Organization Name > organizationalUnitName = Organizational Unit Name > commonName = Common Name > UID = User ID > > # Optionally, specify some defaults. > # countryName_default = US > # stateOrProvinceName_default = MI > # localityName_default= Oak Park > # 0.organizationName_default= HTT Consulting > # organizationalUnitName_default = > > [ req_ext ] > subjectAltName = $ENV::subjectAltName > > [ v3_ca ] > # Extensions for a typical CA (`man x509v3_config`). > subjectKeyIdentifier = hash > authorityKeyIdentifier = keyid:always,issuer > basicConstraints = critical, CA:true > # keyUsage = critical, digitalSignature, cRLSign, keyCertSign > keyUsage = critical, cRLSign, keyCertSign > > [ v3_intermediate_ca ] > # Extensions for a typical intermediate CA (`man x509v3_config`). > subjectKeyIdentifier = hash > authorityKeyIdentifier = keyid:always,issuer > basicConstraints = critical, CA:true, pathlen:0 > # keyUsage = critical, digitalSignature, cRLSign, keyCertSign > keyUsage = critical, cRLSign, keyCertSign > > [ usr_cert ] > # Extensions for client certificates (`man x509v3_config`). > basicConstraints = CA:FALSE > nsCertType = client, email > nsComment = "OpenSSL Generated Client Certificate" > subjectKeyIdentifier = hash > authorityKeyIdentifier = keyid,issuer > keyUsage = critical,nonRepudiation,digitalSignature,keyEncipherment > extendedKeyUsage = clientAuth, emailProtection > crlDistributionPoints = $ENV::crlDP > authorityInfoAccess = $ENV::ocspIAI > > [ server_cert ] > # Extensions for server certificates (`man x509v3_config`). > basicConstraints = CA:FALSE > nsCertType = server > nsComment = "OpenSSL Generated Server Certificate" > subjectKeyIdentifier = hash > authorityKeyIdentifier = keyid,issuer:always > keyUsage = critical, digitalSignature, keyEncipherment > extendedKeyUsage = serverAuth > crlDistributionPoints = $ENV::crlDP > authorityInfoAccess = $ENV::ocspIAI > > [ crl_ext ] > # Extension for CRLs (`man x509v3_config`). > authorityKeyIdentifier=keyid:always > > [ ocsp ] > # Extension for OCSP signing certificates (`man ocsp`). > basicConstraints = CA:FALSE > subjectKeyIdentifier = hash > authorityKeyIdentifier = keyid,issuer > keyUsage = critical, digitalSignature > extendedKeyUsage = critical, OCSPSigning -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
