On 07/27/2018 01:26 PM, Viktor Dukhovni wrote:
On Jul 27, 2018, at 1:20 PM, Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> wrote:
On 07/27/2018 01:14 PM, Viktor Dukhovni wrote:
On Jul 27, 2018, at 1:07 PM, Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> wrote:
Error Loading extension section server_cert
3065065488:error:0E06D06C:configuration file routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:275:group=CA_default name=email_in_dn
3065065488:error:0E06D06C:configuration file routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:275:group=CA_default name=rand_serial
3065065488:error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid null name:crypto/x509v3/v3_utl.c:360:
3065065488:error:22097069:X509 V3 routines:do_ext_nconf:invalid extension string:crypto/x509v3/v3_conf.c:93:name=crlDistributionPoints,section=
3065065488:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:crypto/x509v3/v3_conf.c:47:name=crlDistributionPoints, value=
Please help me with these latest errors.
Start with a less exotic ".cnf" file. These are all configuration errors,
unrelated to ed25519. Get a working RSA config file, and then switch
algorithms.
I am using a working ecdsa config file
It is a good idea to read that file and match the error messages
to the file content. You'll quickly find a bunch of $ENV:: settings
that must yield non-empty results, but you (surely) don't have those
environment variables set... There are perhaps other issues.
I read those messages and got stuck on the first and did not catch the
last 2. My procedure did not set ocspIAI and crlDP. :(
Even though my write up says to make sure to do this! Sigh.
Got my EE server cert. Onwards!
(the one in my draft-moskowitz-ecdsa-pki):
# OpenSSL intermediate CA configuration file.
# Copy to `$dir/intermediate/openssl-intermediate.cnf`.
[ ca ]
# `man ca`
default_ca = CA_default
[ CA_default ]
# Directory and file locations.
dir= $ENV::dir
cadir = $ENV::cadir
format= $ENV::format
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial= $dir/serial
RANDFILE = $dir/private/.rand
# The Intermediate key and Intermediate certificate.
private_key = $dir/private/intermediate.key.$format
certificate = $dir/certs/intermediate.cert.$format
# For certificate revocation lists.
crlnumber= $dir/crlnumber
crl= $dir/crl/intermediate.crl.pem
crl_extensions = crl_ext
default_crl_days = $ENV::default_crl_days
# SHA-1 is deprecated, so use SHA-2 instead.
# default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days= 375
preserve = no
policy= policy_loose
copy_extensions= copy
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = optional
[ policy_loose ]
# Allow the intermediate CA to sign a more
# diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName= optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
UID= optional
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask= utf8only
req_extensions= req_ext
# SHA-1 is deprecated, so use SHA-2 instead.
# default_md = sha256
# Extension to add when the -x509 option is used.
x509_extensions = v3_ca
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName= Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
UID = User ID
# Optionally, specify some defaults.
# countryName_default = US
# stateOrProvinceName_default = MI
# localityName_default= Oak Park
# 0.organizationName_default= HTT Consulting
# organizationalUnitName_default =
[ req_ext ]
subjectAltName = $ENV::subjectAltName
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
# keyUsage = critical, digitalSignature, cRLSign, keyCertSign
keyUsage = critical, cRLSign, keyCertSign
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
# keyUsage = critical, digitalSignature, cRLSign, keyCertSign
keyUsage = critical, cRLSign, keyCertSign
[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical,nonRepudiation,digitalSignature,keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
crlDistributionPoints = $ENV::crlDP
authorityInfoAccess = $ENV::ocspIAI
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
crlDistributionPoints = $ENV::crlDP
authorityInfoAccess = $ENV::ocspIAI
[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always
[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
