Hello,
I need to create a certificate request using a pluggable
engine, in my case it's GOST, that I built in LibreSSL and
attached to OpenSSL 3.0.x.
So, in LibreSSL, say, I have a call like
openssl req -newkey gost2001 -pkeyopt dgst:streebog256 -pkeyopt paramset:A -streebog256 \
-nodes -subj "/C=Some/ST=Some/O=FooBar LLC/CN=John Doe/emailaddress=doe@xxxxxxx" \
-keyout /tmp/key.pem -out /tmp/csr.pem -utf8
and it pretty much does the job. But OpenSSL 3.0.x doesn't recognize the streebog256 as the acceptable digest:
Key parameter error "dgst:streebog256"
That is because it's manual page clearly states:
"The engine is not used for digests unless the -engine_impl option is used or it is configured to do so, see "Engine Configuration Module" in config(5)."Funny thing is, the config(5) manual page doesnt'y say a word about configuring digests (I was able to configure gost as an engine for default loading as there are plenty of examples).
So, when using openssl dgst with both -engine
gost and -engine_impl gost I can see the
needed streebog256 as valid digest but how do I do
this while calling openssl req or when using openssl.cnf
?
Thanks.
Eugene.
