'openssl ca -serial' command line always exit with error 1 ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Greetings openssl users,

I'm a long time lurker..

I am trying to use 'openssl ca' command to verify the status of a certificate
by serial number only.  I can successfully complete this task, however, the
'openssl ca' command always returns an error on completion.

I must point out, in advance, that I am using EasyRSA and EasyTLS to build my PKI and I am using OpenSSL command line to get the serial number status. So,
apologies in advance if this is an off-topic or spammy question.

Also, I am not asking for help with either EasyRSA or EasyTLS, I only want to
ascertain if my observation regarding openssl "always returns error 1" is
correct. Unfortunately, my C skills are too basic to be able to verify this
from openssl source code, which is why I must ask here.

Thank you in advance for all of your time and any feedback.

Anyway, "in for a penny .." and so I shall continue ..

For reference:
uname -a:
Linux arch-hyv-live-64 5.6.4-arch1-1 #1 SMP PREEMPT Mon, 13 Apr 2020 12:21:19
+0000 x86_64 GNU/Linux
OpenSSL: OpenSSL 1.1.1f  31 Mar 2020
EasyRSA: https://github.com/OpenVPN/easy-rsa/releases/tag/v3.0.7
EasyTLS: https://github.com/TinCanTech/easy-tls



The steps to reproduce this problem could not be simpler:

[tct@arch-hyv-live-64 ~]$ mkdir easytls
[tct@arch-hyv-live-64 ~]$ cd easytls/
[tct@arch-hyv-live-64 easytls]$ git clone
https://github.com/TinCanTech/easy-tls.git master
[tct@arch-hyv-live-64 easytls]$ cd master/
[tct@arch-hyv-live-64 master]$ ./op_test.sh

If you choose to run op_test.sh it will:
1. download 'easyrsa' script only (the complete repo is not required).
2. download 'openssl-easyrsa.cnf' (the specific EasyRSA config file to use
openssl).
3. download a pre-built version of openvpn-git/master which is required to
build tls-crypt-v2 keys and therefore allow the script to complete.
4. build a complete EasyRSA PKI with valid and revoked certificates.
5. build an EasyTLS "PKI" (not a real PKI but I don't have a better name)

Steps 1-5 only take a few seconds to complete.

Next:
[tct@arch-hyv-live-64 master]$ cd pki
[tct@arch-hyv-live-64 pki]$ openssl ca -verbose -config safessl-easyrsa.cnf
-keyfile private/ca.key -cert ca.crt

This will essentially list out index.txt

[tct@arch-hyv-live-64 pki]$ echo $?

Note exit status

Then use a valid and then revoked serial no. from the index.txt above and run:

[tct@arch-hyv-live-64 pki]$ openssl ca -verbose -config safessl-easyrsa.cnf
-keyfile private/ca.key -cert ca.crt -status $serial_number

[tct@arch-hyv-live-64 pki]$ echo $?

Note exit status

Repeat this last step with another serial number.

Again, my apologies if this email appears to be overly spammy but this was the
most effective way for me to explain my issue with sufficient details.

I am prepared to learn, in advance, that either:
* this is not an openssl error and exit code 1 is expected
or
* if I built the PKI myself then openssl would not return an error

but, at this time, this appears to me to be a problem with openssl.

Thank you for reading and I welcome any/all feedback.

--
Richard Bonhomme. (Independent)



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux