On 08/08/18 20:49, Robert Moskowitz wrote: > Finally back on working on my EDDSA pki. > > Working on beta Fedora29 which now ships with: > > OpenSSL 1.1.1-pre8 (beta) FIPS 20 Jun 2018 > > > To recap, there are challenges on hash specification. In creating > certs, I cannot have default_md line in my .cnf file, or at least for it > to = sha256. And in those commands where I had to have -md sha256 with > ecdsa, I have to have -md null. This is compared to those commands that > took -sha256 and now require nothing in the command line about the hash. > > So one to crl: > > openssl ca -config $dir/openssl-$intermediate.cnf \ > -gencrl -out $dir/crl/$crl > > Using configuration from /root/ca/intermediate/openssl-intermediate.cnf > Enter pass phrase for /root/ca/intermediate/private/intermediate.key.pem: > variable lookup failed for CA_default::default_md > 3069739024:error:0E06D06C:configuration file > routines:NCONF_get_string:no > value:crypto/conf/conf_lib.c:275:group=CA_default name=default_md > > In this .cnf file, there is no default_md line. > > So I added -md to the command line: > > openssl ca -config $dir/openssl-$intermediate.cnf -md null\ > -gencrl -out $dir/crl/$crl > > And that worked. > > Very confusing. It would be preferable if EDDSA related generation just > ignores md values? > > I've just created PR 6901 that will hopefully improve things. This basically ignores any -md or default_md setting if EdDSA is in use. https://github.com/openssl/openssl/pull/6901 Matt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
