Greetings openssl users,
I'm a long time lurker..
I am trying to use 'openssl ca' command to verify the status of a
certificate
by serial number only. I can successfully complete this task, however, the
'openssl ca' command always returns an error on completion.
I must point out, in advance, that I am using EasyRSA and EasyTLS to
build my
PKI and I am using OpenSSL command line to get the serial number status.
So,
apologies in advance if this is an off-topic or spammy question.
Also, I am not asking for help with either EasyRSA or EasyTLS, I only
want to
ascertain if my observation regarding openssl "always returns error 1" is
correct. Unfortunately, my C skills are too basic to be able to verify this
from openssl source code, which is why I must ask here.
Thank you in advance for all of your time and any feedback.
Anyway, "in for a penny .." and so I shall continue ..
For reference:
uname -a:
Linux arch-hyv-live-64 5.6.4-arch1-1 #1 SMP PREEMPT Mon, 13 Apr 2020
12:21:19
+0000 x86_64 GNU/Linux
OpenSSL: OpenSSL 1.1.1f 31 Mar 2020
EasyRSA: https://github.com/OpenVPN/easy-rsa/releases/tag/v3.0.7
EasyTLS: https://github.com/TinCanTech/easy-tls
The steps to reproduce this problem could not be simpler:
[tct@arch-hyv-live-64 ~]$ mkdir easytls
[tct@arch-hyv-live-64 ~]$ cd easytls/
[tct@arch-hyv-live-64 easytls]$ git clone
https://github.com/TinCanTech/easy-tls.git master
[tct@arch-hyv-live-64 easytls]$ cd master/
[tct@arch-hyv-live-64 master]$ ./op_test.sh
If you choose to run op_test.sh it will:
1. download 'easyrsa' script only (the complete repo is not required).
2. download 'openssl-easyrsa.cnf' (the specific EasyRSA config file to use
openssl).
3. download a pre-built version of openvpn-git/master which is required to
build tls-crypt-v2 keys and therefore allow the script to complete.
4. build a complete EasyRSA PKI with valid and revoked certificates.
5. build an EasyTLS "PKI" (not a real PKI but I don't have a better name)
Steps 1-5 only take a few seconds to complete.
Next:
[tct@arch-hyv-live-64 master]$ cd pki
[tct@arch-hyv-live-64 pki]$ openssl ca -verbose -config safessl-easyrsa.cnf
-keyfile private/ca.key -cert ca.crt
This will essentially list out index.txt
[tct@arch-hyv-live-64 pki]$ echo $?
Note exit status
Then use a valid and then revoked serial no. from the index.txt above
and run:
[tct@arch-hyv-live-64 pki]$ openssl ca -verbose -config safessl-easyrsa.cnf
-keyfile private/ca.key -cert ca.crt -status $serial_number
[tct@arch-hyv-live-64 pki]$ echo $?
Note exit status
Repeat this last step with another serial number.
Again, my apologies if this email appears to be overly spammy but this
was the
most effective way for me to explain my issue with sufficient details.
I am prepared to learn, in advance, that either:
* this is not an openssl error and exit code 1 is expected
or
* if I built the PKI myself then openssl would not return an error
but, at this time, this appears to me to be a problem with openssl.
Thank you for reading and I welcome any/all feedback.
--
Richard Bonhomme. (Independent)