-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
I found the cause of my issue: When creating a new intermediate ca, I did
not purge the old directory, thus starting with an serial>01 and issued
certificates, revocation list which does not match the new private key.
Still my wish remains: a more verbose error message would have made the
problem with the setup much clearer!
regards,
Erich
On Wed, 4 Dec 2019, Erich Eckner wrote:
Hi,
I'm trying to sign a csr by running
`CA=signing-ca openssl ca -verbose -config /etc/simple-pki/ca-ssl.conf -name
signing_ca -in /tmp/tmp.Qz3EoKa0S4/fileserver-lo.ddns.eckner.net.csr -out
/tmp/tmp.Qz3EoKa0S4/fileserver-lo.ddns.eckner.net.crt -extensions server_ext`
but it fails with exit code 1, solely printing the message
"Using configuration from /etc/simple-pki/ca-ssl.conf"
How can I see what's going wrong? Should I use gdb and/or strace to find what
the issue is or is there an easier option to enable debug output?
For the sake of completeness, here comes the content of -
-------->8--------/etc/simple-pki/ca-ssl.conf----------->8--------------
# Simple Root & Signing CA
# The [default] section contains global constants that can be referred to
from
# the entire configuration file. It may also hold settings pertaining to more
# than one openssl command.
[ default ]
ca = $ENV::CA
dir = /etc/simple-pki # Top dir
# The next part of the configuration file is used by the openssl req command.
# It defines the CA's key pair, its DN, and the desired extensions for the CA
# certificate.
[ req ]
default_bits = 4096 # RSA key size
encrypt_key = no # Protect private key
default_md = sha1 # MD to use
utf8 = yes # Input is UTF-8
string_mask = utf8only # Emit UTF-8 strings
prompt = no # Don't prompt for DN
distinguished_name = ca_dn # DN section
req_extensions = ca_reqext # Desired extensions
[ ca_dn ]
0.domainComponent = "net"
1.domainComponent = "eckner"
organizationName = "Eckner Net"
organizationalUnitName = "Eckner Net CA"
commonName = "Eckner Net Root CA"
[ ca_reqext ]
keyUsage = critical,keyCertSign,cRLSign
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
# The remainder of the configuration file is used by the openssl ca command.
# The CA section defines the locations of CA assets, as well as the policies
# applying to the CA.
[ root_ca ]
certificate = $dir/ca/$ca.crt # The CA cert
private_key = $dir/ca/$ca/private/$ca.key # CA private key
new_certs_dir = $dir/ca/$ca # Certificate archive
serial = $dir/ca/$ca/db/$ca.crt.srl # Serial number file
crlnumber = $dir/ca/$ca/db/$ca.crl.srl # CRL number file
database = $dir/ca/$ca/db/$ca.db # Index file
unique_subject = no # Require unique subject
default_days = 365 # How long to certify for
default_md = sha1 # MD to use
policy = match_pol # Default naming policy
email_in_dn = no # Add email to cert DN
preserve = no # Keep passed DN ordering
name_opt = ca_default # Subject DN display options
cert_opt = ca_default # Certificate display options
copy_extensions = none # Copy extensions from CSR
x509_extensions = signing_ca_ext # Default cert extensions
default_crl_days = 30 # How long before next CRL
crl_extensions = crl_ext # CRL extensions
[ signing_ca ]
certificate = $dir/ca/$ca.crt # The CA cert
private_key = $dir/ca/$ca/private/$ca.key # CA private key
new_certs_dir = $dir/ca/$ca # Certificate archive
serial = $dir/ca/$ca/db/$ca.crt.srl # Serial number file
crlnumber = $dir/ca/$ca/db/$ca.crl.srl # CRL number file
database = $dir/ca/$ca/db/$ca.db # Index file
unique_subject = no # Require unique subject
default_days = 60 # How long to certify for
default_md = sha1 # MD to use
policy = match_pol # Default naming policy
email_in_dn = no # Add email to cert DN
preserve = no # Keep passed DN ordering
name_opt = ca_default # Subject DN display options
cert_opt = ca_default # Certificate display options
copy_extensions = copy # Copy extensions from CSR
x509_extensions = email_ext # Default cert extensions
default_crl_days = 7 # How long before next CRL
crl_extensions = crl_ext # CRL extensions
# Naming policies control which parts of a DN end up in the certificate and
# under what circumstances certification should be denied.
[ match_pol ]
domainComponent = match # Must match 'simple.org'
organizationName = match # Must match 'Simple Inc'
organizationalUnitName = optional # Included if present
commonName = supplied # Must be present
[ any_pol ]
domainComponent = optional
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
# Certificate extensions define what types of certificates the CA is able to
# create.
[ root_ca_ext ]
keyUsage = critical,keyCertSign,cRLSign
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
[ signing_ca_ext ]
keyUsage = critical,keyCertSign,cRLSign
basicConstraints = critical,CA:true,pathlen:0
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
# Certificate extensions define what types of certificates the CA is able to
# create.
[ email_ext ]
keyUsage = critical,digitalSignature,keyEncipherment
basicConstraints = CA:false
extendedKeyUsage = emailProtection,clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
[ server_ext ]
keyUsage = critical,digitalSignature,keyEncipherment
basicConstraints = CA:false
extendedKeyUsage = serverAuth,clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
# CRL extensions exist solely to point to the CA certificate that has issued
# the CRL.
[ crl_ext ]
authorityKeyIdentifier = keyid:always
- --------8<--------/etc/simple-pki/ca-ssl.conf-----------8<--------------
regards,
Erich
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl3qZdMACgkQCu7JB1Xa
e1q+iQ//ZHTpV9yLPUZj3U2g2DKN5iCT3JcNAO3hiwtFyletDIzuks3CsJCLnHEz
k5qDJ/JpyJz6kMrj9wffxYwBsbo9NL8bFdlt58u0PQYSlqxq6ZGO9NSmhf+3mzvO
nD7xiBR9UD8/Yh4pzMtGAGD4Wd2jvBkZtnRcJmayhSurniSnkSQYL932SwkL/q6Q
4sQoZ2axViuRnUdLctMarDOLLmwYS1duDOjlcdpdSYmkzh7I8uAfHjm5lKscBsn1
LX/nvB80fb8MYuUV+CdCvQvZr0mV0nIm1aU8IvXyBCR2ZuV0yulL4DS7DX/JSg3M
BR6kmT/PFxiNkMcNkNnZmYNT4zzoE4WbmvthtClniAxpDNtIefbLCOt4vPfh4RK+
TbI3PZPEt1S0sZYa1CqCa2hR2XfHoX46KySa6hdni7tQQM+EYiYpginpBI67OPDV
bnI4UjUXEUgl5gwWXiPfUMrHBdKUHxpzFfGsHzCbslFr30Dm6NZs5lOZ2SmRNaSU
yNk9N6EHH3TblY1PjUZOkYSZKJpjOXhEXsNaSxZc8upoFesTp63G75+Ck17ZcX4C
i6pDnHY3fZ0usb2HjcQOFHnzXU2U7aCoRGWnDSUl0dN4X1kyWk23Y3nFP6jdgsUi
aAu+2id1oWFqaDEHRzyzxDtYsRtqmlA75rcZNmdmrG8jK0Q2XWM=
=Lsck
-----END PGP SIGNATURE-----
