[openssl-users] Errors on EndEntity cert generation

[Viktor Dukhovni]

On Jul 27, 2018, at 1:20 PM, Robert Moskowitz <rgm at htt-consult.com> wrote:
> 
> On 07/27/2018 01:14 PM, Viktor Dukhovni wrote:
>> 
>>> On Jul 27, 2018, at 1:07 PM, Robert Moskowitz <rgm at htt-consult.com> wrote:
>>> 
>>> Error Loading extension section server_cert
>>> 3065065488:error:0E06D06C:configuration file routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:275:group=CA_default name=email_in_dn
>>> 3065065488:error:0E06D06C:configuration file routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:275:group=CA_default name=rand_serial
>>> 3065065488:error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid null name:crypto/x509v3/v3_utl.c:360:
>>> 3065065488:error:22097069:X509 V3 routines:do_ext_nconf:invalid extension string:crypto/x509v3/v3_conf.c:93:name=crlDistributionPoints,section=
>>> 3065065488:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:crypto/x509v3/v3_conf.c:47:name=crlDistributionPoints, value=
>>> 
>>> Please help me with these latest errors.
>> Start with a less exotic ".cnf" file.  These are all configuration errors,
>> unrelated to ed25519.  Get a working RSA config file, and then switch
>> algorithms.
>> 
> I am using a working ecdsa config file

It is a good idea to read that file and match the error messages
to the file content.  You'll quickly find a bunch of $ENV:: settings
that must yield non-empty results, but you (surely) don't have those
environment variables set...  There are perhaps other issues.

> (the one in my draft-moskowitz-ecdsa-pki):
> 
> # OpenSSL intermediate CA configuration file.
> # Copy to `$dir/intermediate/openssl-intermediate.cnf`.
> 
> [ ca ]
> # `man ca`
> default_ca = CA_default
> 
> [ CA_default ]
> # Directory and file locations.
> dir= $ENV::dir
> cadir = $ENV::cadir
> format= $ENV::format
> 
> certs = $dir/certs
> crl_dir  = $dir/crl
> new_certs_dir  = $dir/newcerts
> database = $dir/index.txt
> serial= $dir/serial
> RANDFILE = $dir/private/.rand
> 
> # The Intermediate key and Intermediate certificate.
> private_key = $dir/private/intermediate.key.$format
> certificate = $dir/certs/intermediate.cert.$format
> 
> # For certificate revocation lists.
> crlnumber= $dir/crlnumber
> crl= $dir/crl/intermediate.crl.pem
> crl_extensions = crl_ext
> default_crl_days  = $ENV::default_crl_days
> 
> # SHA-1 is deprecated, so use SHA-2 instead.
> # default_md  = sha256
> 
> name_opt = ca_default
> cert_opt = ca_default
> default_days= 375
> preserve = no
> policy= policy_loose
> copy_extensions= copy
> 
> [ policy_strict ]
> # The root CA should only sign intermediate certificates that match.
> # See the POLICY FORMAT section of `man ca`.
> countryName = match
> stateOrProvinceName  = match
> organizationName  = match
> organizationalUnitName  = optional
> commonName  = optional
> 
> [ policy_loose ]
> # Allow the intermediate CA to sign a more
> #  diverse range of certificates.
> # See the POLICY FORMAT section of the `ca` man page.
> countryName = optional
> stateOrProvinceName  = optional
> localityName= optional
> organizationName  = optional
> organizationalUnitName  = optional
> commonName  = optional
> UID= optional
> 
> [ req ]
> # Options for the `req` tool (`man req`).
> default_bits  = 2048
> distinguished_name  = req_distinguished_name
> string_mask= utf8only
> req_extensions= req_ext
> 
> # SHA-1 is deprecated, so use SHA-2 instead.
> # default_md = sha256
> 
> # Extension to add when the -x509 option is used.
> x509_extensions  = v3_ca
> 
> [ req_distinguished_name ]
> # See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
> countryName= Country Name (2 letter code)
> stateOrProvinceName = State or Province Name
> localityName  = Locality Name
> 0.organizationName  = Organization Name
> organizationalUnitName = Organizational Unit Name
> commonName = Common Name
> UID  = User ID
> 
> # Optionally, specify some defaults.
> # countryName_default = US
> # stateOrProvinceName_default  = MI
> # localityName_default= Oak Park
> # 0.organizationName_default= HTT Consulting
> # organizationalUnitName_default  =
> 
> [ req_ext ]
> subjectAltName = $ENV::subjectAltName
> 
> [ v3_ca ]
> # Extensions for a typical CA (`man x509v3_config`).
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid:always,issuer
> basicConstraints = critical, CA:true
> # keyUsage = critical, digitalSignature, cRLSign, keyCertSign
> keyUsage = critical, cRLSign, keyCertSign
> 
> [ v3_intermediate_ca ]
> # Extensions for a typical intermediate CA (`man x509v3_config`).
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid:always,issuer
> basicConstraints = critical, CA:true, pathlen:0
> # keyUsage = critical, digitalSignature, cRLSign, keyCertSign
> keyUsage = critical, cRLSign, keyCertSign
> 
> [ usr_cert ]
> # Extensions for client certificates (`man x509v3_config`).
> basicConstraints = CA:FALSE
> nsCertType = client, email
> nsComment = "OpenSSL Generated Client Certificate"
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid,issuer
> keyUsage = critical,nonRepudiation,digitalSignature,keyEncipherment
> extendedKeyUsage = clientAuth, emailProtection
> crlDistributionPoints = $ENV::crlDP
> authorityInfoAccess = $ENV::ocspIAI
> 
> [ server_cert ]
> # Extensions for server certificates (`man x509v3_config`).
> basicConstraints = CA:FALSE
> nsCertType = server
> nsComment = "OpenSSL Generated Server Certificate"
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid,issuer:always
> keyUsage = critical, digitalSignature, keyEncipherment
> extendedKeyUsage = serverAuth
> crlDistributionPoints = $ENV::crlDP
> authorityInfoAccess = $ENV::ocspIAI
> 
> [ crl_ext ]
> # Extension for CRLs (`man x509v3_config`).
> authorityKeyIdentifier=keyid:always
> 
> [ ocsp ]
> # Extension for OCSP signing certificates (`man ocsp`).
> basicConstraints = CA:FALSE
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid,issuer
> keyUsage = critical, digitalSignature
> extendedKeyUsage = critical, OCSPSigning

-- 
	Viktor.