Re: Help with certificatePolicies section

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I could be wrong, but I think the problem may be that [Cert_policy_server] has a policyIdentifier with two values.  Try something like:

[server_cert]
certificatePolicies = ia5org, @Cert_policy_server, @Cert_other_policy_server

[Cert_policy_server]
policyIdentifier = GroupeSTIAssurance
CPS.1 = http://cps.groupesti.com

[Cert_other_policy_server]
policyIdentifier = GroupeSTIDevice

Good luck,
  -Dave


> On Apr 7, 2020, at 11:57, Richard Simard <richard.simard@xxxxxxxxxxxxx> wrote:
> 
> Libor Chocholaty
>  
> openssl ca -config etc/intermediate.cnf -extensions server_cert -days 1825 -notext -md sha256 -in intermediate/csr/test.groupesti.com.csr -out intermediate/certs/test.groupesti.com.crt
>  
> Using configuration from etc/intermediate.cnf
> Enter pass phrase for /CA/intermediate/private/intermediate.key: ************
>  
> Error Loading extension section server_cert
> 140542588306560:error:0E06D06C:configuration file routines:NCONF_get_string:no value:../crypto/conf/conf_lib.c:273:group=CA_default name=email_in_dn
> 140542588306560:error:0E06D06C:configuration file routines:NCONF_get_string:no value:../crypto/conf/conf_lib.c:273:group=CA_default name=rand_serial
> 140542588306560:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73:
> 140542588306560:error:2208306E:X509 V3 routines:policy_section:invalid object identifier:../crypto/x509v3/v3_cpols.c:183:section:Cert_policy_server,name:policyIdentifier,value:GroupeSTIAssurance, GroupeSTIDevice
> 140542588306560:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:../crypto/x509v3/v3_conf.c:47:name=certificatePolicies, value=ia5org, @Cert_policy_server
>  
> Intermediate.cnf
>  
> [ openssl_init ]
> oid_section                     = oids_section
>  
> [ ca ]
> default_ca                      = CA_default
>  
> [ CA_default ]
> dir                             = /CA/intermediate
> certs                           = $dir/certs
> crl_dir                         = $dir/crl
> new_certs_dir                   = $dir/newcerts
> database                        = $dir/index.txt
> serial                          = $dir/serial
> RANDFILE                        = $dir/private/.rand
> private_key                     = $dir/private/intermediate.key
> certificate                     = $dir/certs/intermediate.crt
> crlnumber                       = $dir/crlnumber
> crl                             = $dir/crl/intermediate.crl
> crl_extensions                  = crl_ext
> default_crl_days                = 30
> default_md                      = sha256
> name_opt                        = ca_default
> cert_opt                        = ca_default
> default_days                    = 375
> preserve                        = no
> policy                          = policy_loose
>  
> [ policy_strict ]
> countryName                     = match
> stateOrProvinceName             = match
> organizationName                = match
> organizationalUnitName          = optional
> commonName                      = supplied
> emailAddress                    = optional
>  
> [ policy_loose ]
> countryName                     = optional
> stateOrProvinceName             = optional
> localityName                    = optional
> organizationName                = optional
> organizationalUnitName          = optional
> commonName                      = supplied
> emailAddress                    = optional
>  
> [ req ]
> default_bits                    = 2048
> distinguished_name              = req_distinguished_name
> utf8                            = yes
> string_mask                     = utf8only
> name_opt                        = multiline, -esc_msb, utf8
> default_md                      = sha256
> x509_extensions                 = v3_ca
>  
> [ req_distinguished_name ]
> countryName                     = "1. Nom du pays (2 lettres)          (Ex, CA)                  "
> countryName_max                 = 2
> countryName_default             = CA
> stateOrProvinceName             = "2. Nom de l'État ou de la province  (Ex, Québec)              "
> stateOrProvinceName_default     = Québec
> localityName                    = "3. Nom de localité                  (Ex, Saguenay)            "
> localityName_default            = Saguenay
> organizationName                = "4. Nom de l'organisation            (Ex, Groupe Solutions TI) "
> organizationName_default        = Groupe Solutions TI Inc.
> organizationalUnitName          = "5. Nom de l'unité organisationnelle (Ex, Service web)         "
> organizationalUnitName_default  =
> commonName                      = "6. Nom de la personne               (Ex, Jean Tremblay)       "
> commonName_max                  = 64
> commonName_default              =
> emailAddress                    = "7. Adresse courriel                 (Ex, vous@xxxxxxxxxx      "
> emailAddress_max                = 64
> emailAddress_default            =
>  
> [ issuer_section ]
> O                               = Groupe Solutions TI Inc.
> CN                              = Groupe Solutions TI Inc. - Autorité TLS V3 Principal
> C                               = CA
> ST                              = Québec
> L                               = Saguenay
> streetAddress                   = 3-4109, Saint-Alexandre
> postalCode                      = G8A 2H1
> emailAddress                    = support@xxxxxxxxxxxxx
> telephoneNumber                 = +1 (418) 695-9007
>  
> [ v3_ca ]
> subjectKeyIdentifier            = hash
> authorityKeyIdentifier          = keyid:always,issuer
> basicConstraints                = critical, CA:true
> keyUsage                        = critical, digitalSignature, cRLSign, keyCertSign
>  
> [ v3_intermediate_ca ]
> subjectKeyIdentifier            = hash
> authorityKeyIdentifier          = keyid:always,issuer
> basicConstraints                = critical, CA:true, pathlen:0
> keyUsage                        = critical, digitalSignature, cRLSign, keyCertSign
>  
> [ usr_cert ]
> basicConstraints                = CA:FALSE
> nsCertType                      = client, email
> subjectKeyIdentifier            = hash
> authorityKeyIdentifier          = keyid,issuer
> keyUsage                        = critical, nonRepudiation, digitalSignature, keyEncipherment
> extendedKeyUsage                = clientAuth, emailProtection
> SMIME-CAPS                      = ASN1:SEQUENCE:smime_seq
> crlDistributionPoints           = crl_section
>  
> [ Policy_usr_cert ]
> policyIdentifier                = GroupeSTIAssurance, GroupeSTIUser
> CPS                             = http://cps.groupesti.com
>  
> [ server_cert ]
> basicConstraints                = CA:FALSE
> nsCertType                      = server
> subjectKeyIdentifier            = hash
> authorityKeyIdentifier          = keyid, issuer:always
> keyUsage                        = critical, digitalSignature, keyEncipherment
> extendedKeyUsage                = serverAuth
> certificatePolicies             = ia5org, @Cert_policy_server
> crlDistributionPoints           = crl_section
>  
> [ Cert_policy_server ]
> policyIdentifier                = GroupeSTIAssurance, GroupeSTIDevice
> CPS.1                           = http://cps.groupesti.com
>  
> [ crl_ext ]
> authorityKeyIdentifier          = keyid:always
>  
> [ crl_section ]
> fullname                        = URI:http://pki.groupesti.com/ca.crl
> CRLissuer                       = dirName:issuer_section
> reasons                         = keyCompromise, CACompromise
> authorityKeyIdentifier          = keyid:always
>  
> [ ocsp ]
> basicConstraints                = CA:FALSE
> subjectKeyIdentifier            = hash
> authorityKeyIdentifier          = keyid, issuer
> keyUsage                        = critical, digitalSignature
> extendedKeyUsage                = critical, OCSPSigning
>  
> [ smime_seq ]
> SMIMECapability.0               = SEQWRAP, OID:sha1
> SMIMECapability.1               = SEQWRAP, OID:sha256
> SMIMECapability.2               = SEQWRAP, OID:sha1WithRSA
> SMIMECapability.3               = SEQWRAP, OID:aes-256-ecb
> SMIMECapability.4               = SEQWRAP, OID:aes-256-cbc
> SMIMECapability.5               = SEQWRAP, OID:aes-256-ofb
> SMIMECapability.6               = SEQWRAP, OID:aes-128-ecb
> SMIMECapability.7               = SEQWRAP, OID:aes-128-cbc
> SMIMECapability.8               = SEQWRAP, OID:aes-128-ecb
> SMIMECapability.9               = SEQUENCE:rsa_enc
>  
> [ oids_section ]
> GroupeSTIAssurance              = 1.3.6.1.4.1.51063.0.1
> GroupeSTIUser                   = 1.3.6.1.4.1.51063.0.1.0
> GroupeSTIDevice                 = 1.3.6.1.4.1.51063.0.1.1
> GroupeSTIAssuranceEV            = 1.3.6.1.4.1.51063.0.1.2
>  
> De : openssl-users <openssl-users-bounces@xxxxxxxxxxx> De la part de Libor Chocholaty
> Envoyé : 6 avril 2020 16:42
> À : openssl-users@xxxxxxxxxxx
> Objet : Re: Help with certificatePolicies section
>  
> Hi,
> 
> could you share commands that led to this error?
> 
> It looks to me referenced non existent section in config file like as param "-extensions" option.
> 
> Regards,
> Libor
> 
>  
> 
> On 2020-04-06 19:43, Richard Simard wrote:
> 
> Hi!
> Anybody can help me whit this error?
>  
> Error Loading extension section server_cert
> 140091048477824:error:0E06D06C:configuration file routines:NCONF_get_string:no value:../crypto/conf/conf_lib.c:273:group=CA_default name=email_in_dn
> 140091048477824:error:0E06D06C:configuration file routines:NCONF_get_string:no value:../crypto/conf/conf_lib.c:273:group=CA_default name=rand_serial
> 140091048477824:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73:
> 140091048477824:error:2208306E:X509 V3 routines:policy_section:invalid object identifier:../crypto/x509v3/v3_cpols.c:183:section:Cert_policy_server,name:policyIdentifier,value:GroupeSTIAssurance, GroupeSTIDevice
> 140091048477824:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:../crypto/x509v3/v3_conf.c:47:name=certificatePolicies, value=ia5org,1.3.6.1.4.1.51063,@Cert_policy_server
>  
> [ openssl_init ]
> oid_section  = oids_section
>  
> [ server_cert ]
> basicConstraints  = CA:FALSE
> nsCertType  = server
> subjectKeyIdentifier  = hash
> authorityKeyIdentifier  = keyid, issuer:always
> keyUsage  = critical, digitalSignature, keyEncipherment
> extendedKeyUsage = serverAuth
> certificatePolicies = ia5org, @Cert_policy_server
> crlDistributionPoints = crl_section
>  
> [ Cert_policy_server ]
> policyIdentifier  = GroupeSTIAssurance, GroupeSTIDevice
> CPS.1  = http://cps.groupesti.com
>  
> [ crl_section ]
> fullname  = URI:http://pki.groupesti.com/ca.crl
> CRLissuer = dirName:issuer_section
> reasons  = keyCompromise, CACompromise
> authorityKeyIdentifier = keyid:always
>  
> [ oids_section ]
> GroupeSTIAssurance  = 1.3.6.1.4.1.51063.0.1
> GroupeSTIUser = 1.3.6.1.4.1.51063.0.1.0
> GroupeSTIDevice = 1.3.6.1.4.1.51063.0.1.1

Attachment: smime.p7s
Description: S/MIME cryptographic signature

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux