[openssl-users] 1st time through, only -- "Can't open root/database.attr for reading, No such file or directory" ?

PGNet Dev pgnet.dev at gmail.com
Sun Jun 4 19:17:53 UTC 2017 

I've a new, local CA for (primary) local, self-signed, elliptical cert issuance & use.

I've built/installed,

	openssl version
		OpenSSL 1.1.0f  25 May 2017

I've created a ROOT crt & key, & and an INTERMEDIATE key & csr.

On exec of signing the INTERMEDIATE key with the ROOT.

	openssl ca -batch \
	 -notext \
	 -extensions ext_intermediate \
	 -config /home/sec/newCA/openssl.cnf \
	 -name ca_root \
	 -in  intermediate/csr/newCA.INTERMEDIATE.csr.pem \
	 -out intermediate/certs/newCA.INTERMEDIATE.crt.pem

It appears to complete -- the cert's created

	openssl x509 \
	 -noout \
	 -text \
	 -in intermediate/certs/newCA.INTERMEDIATE.crt.pem

		Certificate:
		    Data:
		        Version: 3 (0x2)
		        Serial Number: 4096 (0x1000)
		    Signature Algorithm: ecdsa-with-SHA256
		...

but the process STARTS with an apparently non-fatal error ...

	Using configuration from /home/sec/newCA/openssl.cnf
	Can't open root/database.attr for reading, No such file or directory
	140013244086016:error:02001002:system library:fopen::crypto/bio/bss_file.c:74:fopen('root/database.attr','r')
	140013244086016:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:81:
	Check that the request matches the signature
	Signature ok
	Certificate Details:
	        Serial Number: 4096 (0x1000)
	        Validity
	            Not Before: Jun  4 18:54:29 2017 GMT
	            Not After : Jun  2 18:54:29 2027 GMT
	...
	Write out database with 1 new entries
	Data Base Updated

The only mention of

	root/database

is in my openssl.conf

	...
	[ ca_root ]
	dir               = root
	certs             = $dir/certs
	crl_dir           = $dir/crl
	new_certs_dir     = $dir/newcerts
	database          = $dir/database   <-------------
	unique_subject    = yes
	...

PRIOR to creating the ROOT key, I

	touch root/database
	touch intermediate/database

AFTER the signing,

	ls -al root/database*
		-rw-r--r-- 1 root root 167 Jun  4 11:54 root/database
		-rw-r--r-- 1 root root  21 Jun  4 11:54 root/database.attr
		-rw-r--r-- 1 root root   0 Jun  4 11:51 root/database.old

and if I RE-exec the cmd,

	openssl ca -batch \
	...

there's no more error

	Using configuration /home/sec/newCA/openssl.cnf
	Check that the request matches the signature
	Signature ok
	Certificate Details:
	...

Checking

	cat root/database.attr
		unique_subject = yes

Which appears (?) to originate from the "[ ca_root ]" in my openssl.cnf

Do I need to touch, or manually populate, the 

	root/database.attr

prior to first exec to init as well?

Or is this a bug?

More information about the openssl-users mailing list