Help with certificatePolicies section
Richard Simard
richard.simard at groupesti.com
Tue Apr 7 15:57:23 UTC 2020
Libor Chocholaty
openssl ca -config etc/intermediate.cnf -extensions server_cert -days 1825 -notext -md sha256 -in intermediate/csr/test.groupesti.com.csr -out intermediate/certs/test.groupesti.com.crt
Using configuration from etc/intermediate.cnf
Enter pass phrase for /CA/intermediate/private/intermediate.key: ************
Error Loading extension section server_cert
140542588306560:error:0E06D06C:configuration file routines:NCONF_get_string:no value:../crypto/conf/conf_lib.c:273:group=CA_default name=email_in_dn
140542588306560:error:0E06D06C:configuration file routines:NCONF_get_string:no value:../crypto/conf/conf_lib.c:273:group=CA_default name=rand_serial
140542588306560:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73:
140542588306560:error:2208306E:X509 V3 routines:policy_section:invalid object identifier:../crypto/x509v3/v3_cpols.c:183:section:Cert_policy_server,name:policyIdentifier,value:GroupeSTIAssurance, GroupeSTIDevice
140542588306560:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:../crypto/x509v3/v3_conf.c:47:name=certificatePolicies, value=ia5org, @Cert_policy_server
Intermediate.cnf
[ openssl_init ]
oid_section = oids_section
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /CA/intermediate
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
private_key = $dir/private/intermediate.key
certificate = $dir/certs/intermediate.crt
crlnumber = $dir/crlnumber
crl = $dir/crl/intermediate.crl
crl_extensions = crl_ext
default_crl_days = 30
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_loose
[ policy_strict ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_loose ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
utf8 = yes
string_mask = utf8only
name_opt = multiline, -esc_msb, utf8
default_md = sha256
x509_extensions = v3_ca
[ req_distinguished_name ]
countryName = "1. Nom du pays (2 lettres) (Ex, CA) "
countryName_max = 2
countryName_default = CA
stateOrProvinceName = "2. Nom de l'État ou de la province (Ex, Québec) "
stateOrProvinceName_default = Québec
localityName = "3. Nom de localité (Ex, Saguenay) "
localityName_default = Saguenay
organizationName = "4. Nom de l'organisation (Ex, Groupe Solutions TI) "
organizationName_default = Groupe Solutions TI Inc.
organizationalUnitName = "5. Nom de l'unité organisationnelle (Ex, Service web) "
organizationalUnitName_default =
commonName = "6. Nom de la personne (Ex, Jean Tremblay) "
commonName_max = 64
commonName_default =
emailAddress = "7. Adresse courriel (Ex, vous at domain.com "
emailAddress_max = 64
emailAddress_default =
[ issuer_section ]
O = Groupe Solutions TI Inc.
CN = Groupe Solutions TI Inc. - Autorité TLS V3 Principal
C = CA
ST = Québec
L = Saguenay
streetAddress = 3-4109, Saint-Alexandre
postalCode = G8A 2H1
emailAddress = support at groupesti.com
telephoneNumber = +1 (418) 695-9007
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ usr_cert ]
basicConstraints = CA:FALSE
nsCertType = client, email
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
SMIME-CAPS = ASN1:SEQUENCE:smime_seq
crlDistributionPoints = crl_section
[ Policy_usr_cert ]
policyIdentifier = GroupeSTIAssurance, GroupeSTIUser
CPS = http://cps.groupesti.com
[ server_cert ]
basicConstraints = CA:FALSE
nsCertType = server
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
certificatePolicies = ia5org, @Cert_policy_server
crlDistributionPoints = crl_section
[ Cert_policy_server ]
policyIdentifier = GroupeSTIAssurance, GroupeSTIDevice
CPS.1 = http://cps.groupesti.com
[ crl_ext ]
authorityKeyIdentifier = keyid:always
[ crl_section ]
fullname = URI:http://pki.groupesti.com/ca.crl
CRLissuer = dirName:issuer_section
reasons = keyCompromise, CACompromise
authorityKeyIdentifier = keyid:always
[ ocsp ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
[ smime_seq ]
SMIMECapability.0 = SEQWRAP, OID:sha1
SMIMECapability.1 = SEQWRAP, OID:sha256
SMIMECapability.2 = SEQWRAP, OID:sha1WithRSA
SMIMECapability.3 = SEQWRAP, OID:aes-256-ecb
SMIMECapability.4 = SEQWRAP, OID:aes-256-cbc
SMIMECapability.5 = SEQWRAP, OID:aes-256-ofb
SMIMECapability.6 = SEQWRAP, OID:aes-128-ecb
SMIMECapability.7 = SEQWRAP, OID:aes-128-cbc
SMIMECapability.8 = SEQWRAP, OID:aes-128-ecb
SMIMECapability.9 = SEQUENCE:rsa_enc
[ oids_section ]
GroupeSTIAssurance = 1.3.6.1.4.1.51063.0.1
GroupeSTIUser = 1.3.6.1.4.1.51063.0.1.0
GroupeSTIDevice = 1.3.6.1.4.1.51063.0.1.1
GroupeSTIAssuranceEV = 1.3.6.1.4.1.51063.0.1.2
De : openssl-users <openssl-users-bounces at openssl.org> De la part de Libor Chocholaty
Envoyé : 6 avril 2020 16:42
À : openssl-users at openssl.org
Objet : Re: Help with certificatePolicies section
Hi,
could you share commands that led to this error?
It looks to me referenced non existent section in config file like as param "-extensions" option.
Regards,
Libor
On 2020-04-06 19:43, Richard Simard wrote:
Hi!
Anybody can help me whit this error?
Error Loading extension section server_cert
140091048477824:error:0E06D06C:configuration file routines:NCONF_get_string:no value:../crypto/conf/conf_lib.c:273:group=CA_default name=email_in_dn
140091048477824:error:0E06D06C:configuration file routines:NCONF_get_string:no value:../crypto/conf/conf_lib.c:273:group=CA_default name=rand_serial
140091048477824:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73:
140091048477824:error:2208306E:X509 V3 routines:policy_section:invalid object identifier:../crypto/x509v3/v3_cpols.c:183:section:Cert_policy_server,name:policyIdentifier,value:GroupeSTIAssurance, GroupeSTIDevice
140091048477824:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:../crypto/x509v3/v3_conf.c:47:name=certificatePolicies, value=ia5org,1.3.6.1.4.1.51063, at Cert_policy_server
[ openssl_init ]
oid_section = oids_section
[ server_cert ]
basicConstraints = CA:FALSE
nsCertType = server
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
certificatePolicies = ia5org, @Cert_policy_server
crlDistributionPoints = crl_section
[ Cert_policy_server ]
policyIdentifier = GroupeSTIAssurance, GroupeSTIDevice
CPS.1 = http://cps.groupesti.com
[ crl_section ]
fullname = URI:http://pki.groupesti.com/ca.crl
CRLissuer = dirName:issuer_section
reasons = keyCompromise, CACompromise
authorityKeyIdentifier = keyid:always
[ oids_section ]
GroupeSTIAssurance = 1.3.6.1.4.1.51063.0.1
GroupeSTIUser = 1.3.6.1.4.1.51063.0.1.0
GroupeSTIDevice = 1.3.6.1.4.1.51063.0.1.1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20200407/658c9a23/attachment-0001.html>
More information about the openssl-users
mailing list