I'm following a procedure for generating an offline CA for use with Microsoft
Active Directory Certificate Services for my own internal use, with instructions
available here:
https://www.altaro.com/hyper-v/wsl-offline-root-certificate-authority-windows-pki/
I am, however, using a different computer with OpenSSL 1.1.1i for root CA key
generation and intermediate CA signing, not WSL.
I'm trying to sign the intermediate certificate, but I get this error:
$ openssl ca -batch -in subca.req -extensions v3_subca -config ca.conf
Using configuration from ca.conf
Error Loading extension section v3_subca
4583112192:error:22075075:X509 V3 routines:v2i_GENERAL_NAME_ex:unsupported
option:crypto/x509v3/v3_alt.c:548:name=crlDistributionPoints
4583112192:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in
extension:crypto/x509v3/v3_conf.c:47:name=crlDistributionPoints, value=@crl_section
This is the contents of ca.conf. I have removed the full pathnames in
[ CA_default ] and my actual domain for privacy:
---------------
rootcaname=Domain Root Certification Authority
rootcaissuerssite=ldap:///CN=Domain Root Certification
Authority,CN=Certification Authorities,CN=Public Key
Services,CN=Services,CN=Configuration,DC=ad,DC=domain,DC=local?cACertificate
rootcrldistributionpoint=ldap:///CN=Domain Root Certification
Authority,CN=DC,CN=CDP,CN=Public Key
Services,CN=Services,CN=Configuration,DC=ad,DC=domain,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /ca
certs = /ca/certs
crl_dir = /ca/crl
database = /ca/index.txt
new_certs_dir = /ca/certs
certificate = /ca/ca.crt
serial = /ca/serial
crlnumber = /ca/crlnumber
crl = /ca/crl/$rootcaname.crl
crl_extensions = crl_ext
private_key = /ca/ca.key
#RANDFILE = /ca/.rand
name_opt = ca_default
cert_opt = ca_default
default_days = 1825
default_crl_days = 365
default_md = sha256
preserve = no
policy = policy_match
email_in_dn = no
rand_serial = yes
[ policy_match ]
commonName = supplied
[ req ]
default_bits = 3072
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
string_mask = utf8only
[ req_distinguished_name ]
commonName = Domain Intermediate Certification Authority
commonName_max = 64
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints=critical,CA:true
keyUsage=critical,digitalSignature,cRLSign,keyCertSign
[ v3_subca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints=critical,CA:true
keyUsage=critical,digitalSignature,cRLSign,keyCertSign
authorityInfoAccess = @v3_root_aia
crlDistributionPoints = @crl_section
[ v3_root_aia ]
caIssuers;URI=$rootcaissuerssite
#OCSP;URI=$rootocspsite
[ crl_ext ]
authorityKeyIdentifier=keyid:always
issuerAltName=issuer:copy
[crl_section]
crlDistributionPoints = URI:$rootcrldistributionpoint
---------------
I think the problem is with the commas in the URI I want to use for
crlDistributionPoints:
ldap:///CN=Domain Root Certification Authority,CN=DC,CN=CDP,CN=Public Key
Services,CN=Services,CN=Configuration,DC=ad,DC=domain,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
How can I properly include this URI in the certificate?
Thanks!