> From: rgordey@xxxxxxxxxxxxxxx <rgordey@xxxxxxxxxxxxxxx> > Sent: Saturday, 21 August, 2021 11:26 > > My openssl.cnf (I have tried `\` and `\\` and `/` directory separators): Use forward slashes. Backslashes should work on Windows, but forward slashes work everywhere. I don't know that "\\" will work anywhere. > [ ca ] > default_ca = testca > > [ testca ] > dir = . > certificate = $dir\\ca_certificate.pem > database = $dir\\index.txt What's in index.txt? Is it a valid OpenSSL CA index file, or completely empty (zero length)? If it's not either of those, replace it with an empty file, for example with: copy nul index.txt > new_certs_dir = $dir\\certs > private_key = $dir\\private\\ca_private_key.pem These directories exist? > serial = $dir\\serial This file exists? Though you really shouldn't be assigning serial numbers; you should let OpenSSL create them using the -create_serial option. > > default_crl_days = 7 > default_days = 365 > default_md = sha256 > > policy = testca_policy > x509_extensions = certificate_extensions > > [ testca_policy ] > commonName = supplied > stateOrProvinceName = optional > countryName = optional > emailAddress = optional > organizationName = optional > organizationalUnitName = optional > domainComponent = optional > > [ certificate_extensions ] > basicConstraints = CA:false > > [ req ] > default_bits = 2048 > default_keyfile = .\\private\\ca_private_key.pem > default_md = sha256 > prompt = yes > distinguished_name = root_ca_distinguished_name > x509_extensions = root_ca_extensions > > [ root_ca_distinguished_name ] > commonName = hostname > > [ root_ca_extensions ] > basicConstraints = CA:true > keyUsage = keyCertSign, cRLSign > > [ client_ca_extensions ] > basicConstraints = CA:false > keyUsage = digitalSignature,keyEncipherment > extendedKeyUsage = 1.3.6.1.5.5.7.3.2 Why are you specifying this by OID? Just use "extendedKeyUsage = clientAuth". (I'm assuming a reasonably recent OpenSSL version.) > > [ server_ca_extensions ] > basicConstraints = CA:false > keyUsage = digitalSignature,keyEncipherment > extendedKeyUsage = 1.3.6.1.5.5.7.3.1 Your command line was: > openssl ca -config .\openssl.cnf -in ../server/req.pem -out server_certificate.pem -notext -batch -extensions server_ca_extensions Try it without -batch and with -verbose. And again I'd recommend -create_serial, unless you have some strange requirement to control serial numbers. Browsers in particular may be unhappy if your serial numbers don't conform to the CA/BF Basic Requirements, and it's a pain trying to do that manually. -- Michael Wojcik
