[openssl-users] Env variables in config file to add a whole line
Robert Moskowitz
rgm at htt-consult.com
Wed Sep 6 16:55:27 UTC 2017
I got past the error to build the CSR by using:
crlDistributionPoints = $ENV::crlDP
authorityInfoAccess = $ENV::ocspIAI
Just $crlDP failed even though I had this defined in the [ca} section.
The CSR does not use the user_cert or server_cert. This was 'just' a
config file syntax issue. When I try to make the cert I get the following:
crlDP=URI:http://www.htt-consult.com/pki/intermediate.crl.pem
default_crl_days=30
ocspIAI="OCSP;URI:http://ocsp.htt-consult.com"
openssl ca -config $dir/openssl-intermediate.cnf -days 375\
-extensions server_cert -notext -md sha256 \
-in $dir/csr/$serverfqdn.csr.$format\
-out $dir/certs/$serverfqdn.cert.$format
It works. But if I DON'T want a CRL or OCSP support and I use:
crlDP=
ocspIAI=
with the same command I get:
Error Loading extension section server_cert
3069510608:error:0E06D06C:configuration file
routines:NCONF_get_string:no
value:crypto/conf/conf_lib.c:275:group=CA_default name=email_in_dn
3069510608:error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid
null name:crypto/x509v3/v3_utl.c:316:
3069510608:error:22097069:X509 V3 routines:do_ext_nconf:invalid
extension
string:crypto/x509v3/v3_conf.c:93:name=crlDistributionPoints,section=
3069510608:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in
extension:crypto/x509v3/v3_conf.c:47:name=crlDistributionPoints, value=
So I need a way to have a 'null' value for NO CRL or NO OCSP.
I don't want to have to use SED to edit the config file based on what
the goal is...
thanks
Bob
On 09/06/2017 12:23 PM, Robert Moskowitz wrote:
> I am trying to use an environment variable to add a whole line to the
> config file. This is to control adding (or not providing) CRL and/or
> OCSP support.
>
> export shows:
>
> declare -x crlDP="crlDistributionPoints =
> URI:http://www.htt-consult.com/pki/intermediate.crl.pem"
> declare -x default_crl_days="default_crl_days = 30"
> declare -x ocspIAI="authorityInfoAccess =
> OCSP;URI:http://ocsp.htt-consult.com"
>
> The config file starts with:
>
>
> [ ca ]
> # `man ca`
> default_ca = CA_default
>
> [ CA_default ]
> # Directory and file locations.
> dir= $ENV::dir
> cadir = $ENV::cadir
> format= $ENV::format
> crlDP = $ENV::crlDP
> default_crl_days = $ENV::default_crl_days
> ocspIAI = $ENV::ocspIAI
>
>
> The usr_cert section has:
>
> [ usr_cert ]
> # Extensions for client certificates (`man x509v3_config`).
> basicConstraints = CA:FALSE
> nsCertType = client, email
> nsComment = "OpenSSL Generated Client Certificate"
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid,issuer
> keyUsage = critical,nonRepudiation,digitalSignature,keyEncipherment
> extendedKeyUsage = clientAuth, emailProtection
> $crlDP
> $ocspIAI
>
> Note that the line with "$crlDP" is line 123
>
> When I run the command:
>
> openssl req -config $dir/openssl-intermediate.cnf -key
> $dir/private/$serverfqdn.key.$format -subj "$DN" -new -sha256
> -out $dir/csr/$serverfqdn.csr.$format
>
> I get the error:
>
> req: Error on line 123 of config file
> "/home/rgm/ca/intermediate/openssl-intermediate.cnf"
> unable to find 'distinguished_name' in config
> problems making Certificate Request
> 3070145488:error:0E06D06A:configuration file
> routines:NCONF_get_string:no conf or environment
> variable:crypto/conf/conf_lib.c:272:
>
> note that if I:
>
> grep -n distinguished_name openssl-intermediate.cnf
>
> 68:distinguished_name = req_distinguished_name
> 78:[ req_distinguished_name ]
>
> So the warning about unable to find 'distinguished_name' in config
>
> Is misleading. The problem is more likely with line 123 which is only
> the env variable.
>
> I can play around with this and hopefully the variables to work as
>
> crlDistributionPoints = $crlDP
>
> And if $crlDP is empty, it will not put an empty value into the cert.
> But why does what I have not work?
>
> thanks
>
> Bob
>
More information about the openssl-users
mailing list