Help with certificatePolicies section
Dave Coombs
dcoombs at carillon.ca
Tue Apr 7 18:43:07 UTC 2020
Hi,
I could be wrong, but I think the problem may be that [Cert_policy_server] has a policyIdentifier with two values. Try something like:
[server_cert]
certificatePolicies = ia5org, @Cert_policy_server, @Cert_other_policy_server
[Cert_policy_server]
policyIdentifier = GroupeSTIAssurance
CPS.1 = http://cps.groupesti.com
[Cert_other_policy_server]
policyIdentifier = GroupeSTIDevice
Good luck,
-Dave
> On Apr 7, 2020, at 11:57, Richard Simard <richard.simard at groupesti.com> wrote:
>
> Libor Chocholaty
>
> openssl ca -config etc/intermediate.cnf -extensions server_cert -days 1825 -notext -md sha256 -in intermediate/csr/test.groupesti.com.csr -out intermediate/certs/test.groupesti.com.crt
>
> Using configuration from etc/intermediate.cnf
> Enter pass phrase for /CA/intermediate/private/intermediate.key: ************
>
> Error Loading extension section server_cert
> 140542588306560:error:0E06D06C:configuration file routines:NCONF_get_string:no value:../crypto/conf/conf_lib.c:273:group=CA_default name=email_in_dn
> 140542588306560:error:0E06D06C:configuration file routines:NCONF_get_string:no value:../crypto/conf/conf_lib.c:273:group=CA_default name=rand_serial
> 140542588306560:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73:
> 140542588306560:error:2208306E:X509 V3 routines:policy_section:invalid object identifier:../crypto/x509v3/v3_cpols.c:183:section:Cert_policy_server,name:policyIdentifier,value:GroupeSTIAssurance, GroupeSTIDevice
> 140542588306560:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:../crypto/x509v3/v3_conf.c:47:name=certificatePolicies, value=ia5org, @Cert_policy_server
>
> Intermediate.cnf
>
> [ openssl_init ]
> oid_section = oids_section
>
> [ ca ]
> default_ca = CA_default
>
> [ CA_default ]
> dir = /CA/intermediate
> certs = $dir/certs
> crl_dir = $dir/crl
> new_certs_dir = $dir/newcerts
> database = $dir/index.txt
> serial = $dir/serial
> RANDFILE = $dir/private/.rand
> private_key = $dir/private/intermediate.key
> certificate = $dir/certs/intermediate.crt
> crlnumber = $dir/crlnumber
> crl = $dir/crl/intermediate.crl
> crl_extensions = crl_ext
> default_crl_days = 30
> default_md = sha256
> name_opt = ca_default
> cert_opt = ca_default
> default_days = 375
> preserve = no
> policy = policy_loose
>
> [ policy_strict ]
> countryName = match
> stateOrProvinceName = match
> organizationName = match
> organizationalUnitName = optional
> commonName = supplied
> emailAddress = optional
>
> [ policy_loose ]
> countryName = optional
> stateOrProvinceName = optional
> localityName = optional
> organizationName = optional
> organizationalUnitName = optional
> commonName = supplied
> emailAddress = optional
>
> [ req ]
> default_bits = 2048
> distinguished_name = req_distinguished_name
> utf8 = yes
> string_mask = utf8only
> name_opt = multiline, -esc_msb, utf8
> default_md = sha256
> x509_extensions = v3_ca
>
> [ req_distinguished_name ]
> countryName = "1. Nom du pays (2 lettres) (Ex, CA) "
> countryName_max = 2
> countryName_default = CA
> stateOrProvinceName = "2. Nom de l'État ou de la province (Ex, Québec) "
> stateOrProvinceName_default = Québec
> localityName = "3. Nom de localité (Ex, Saguenay) "
> localityName_default = Saguenay
> organizationName = "4. Nom de l'organisation (Ex, Groupe Solutions TI) "
> organizationName_default = Groupe Solutions TI Inc.
> organizationalUnitName = "5. Nom de l'unité organisationnelle (Ex, Service web) "
> organizationalUnitName_default =
> commonName = "6. Nom de la personne (Ex, Jean Tremblay) "
> commonName_max = 64
> commonName_default =
> emailAddress = "7. Adresse courriel (Ex, vous at domain.com "
> emailAddress_max = 64
> emailAddress_default =
>
> [ issuer_section ]
> O = Groupe Solutions TI Inc.
> CN = Groupe Solutions TI Inc. - Autorité TLS V3 Principal
> C = CA
> ST = Québec
> L = Saguenay
> streetAddress = 3-4109, Saint-Alexandre
> postalCode = G8A 2H1
> emailAddress = support at groupesti.com
> telephoneNumber = +1 (418) 695-9007
>
> [ v3_ca ]
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid:always,issuer
> basicConstraints = critical, CA:true
> keyUsage = critical, digitalSignature, cRLSign, keyCertSign
>
> [ v3_intermediate_ca ]
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid:always,issuer
> basicConstraints = critical, CA:true, pathlen:0
> keyUsage = critical, digitalSignature, cRLSign, keyCertSign
>
> [ usr_cert ]
> basicConstraints = CA:FALSE
> nsCertType = client, email
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid,issuer
> keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
> extendedKeyUsage = clientAuth, emailProtection
> SMIME-CAPS = ASN1:SEQUENCE:smime_seq
> crlDistributionPoints = crl_section
>
> [ Policy_usr_cert ]
> policyIdentifier = GroupeSTIAssurance, GroupeSTIUser
> CPS = http://cps.groupesti.com
>
> [ server_cert ]
> basicConstraints = CA:FALSE
> nsCertType = server
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid, issuer:always
> keyUsage = critical, digitalSignature, keyEncipherment
> extendedKeyUsage = serverAuth
> certificatePolicies = ia5org, @Cert_policy_server
> crlDistributionPoints = crl_section
>
> [ Cert_policy_server ]
> policyIdentifier = GroupeSTIAssurance, GroupeSTIDevice
> CPS.1 = http://cps.groupesti.com
>
> [ crl_ext ]
> authorityKeyIdentifier = keyid:always
>
> [ crl_section ]
> fullname = URI:http://pki.groupesti.com/ca.crl
> CRLissuer = dirName:issuer_section
> reasons = keyCompromise, CACompromise
> authorityKeyIdentifier = keyid:always
>
> [ ocsp ]
> basicConstraints = CA:FALSE
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid, issuer
> keyUsage = critical, digitalSignature
> extendedKeyUsage = critical, OCSPSigning
>
> [ smime_seq ]
> SMIMECapability.0 = SEQWRAP, OID:sha1
> SMIMECapability.1 = SEQWRAP, OID:sha256
> SMIMECapability.2 = SEQWRAP, OID:sha1WithRSA
> SMIMECapability.3 = SEQWRAP, OID:aes-256-ecb
> SMIMECapability.4 = SEQWRAP, OID:aes-256-cbc
> SMIMECapability.5 = SEQWRAP, OID:aes-256-ofb
> SMIMECapability.6 = SEQWRAP, OID:aes-128-ecb
> SMIMECapability.7 = SEQWRAP, OID:aes-128-cbc
> SMIMECapability.8 = SEQWRAP, OID:aes-128-ecb
> SMIMECapability.9 = SEQUENCE:rsa_enc
>
> [ oids_section ]
> GroupeSTIAssurance = 1.3.6.1.4.1.51063.0.1
> GroupeSTIUser = 1.3.6.1.4.1.51063.0.1.0
> GroupeSTIDevice = 1.3.6.1.4.1.51063.0.1.1
> GroupeSTIAssuranceEV = 1.3.6.1.4.1.51063.0.1.2
>
> De : openssl-users <openssl-users-bounces at openssl.org> De la part de Libor Chocholaty
> Envoyé : 6 avril 2020 16:42
> À : openssl-users at openssl.org
> Objet : Re: Help with certificatePolicies section
>
> Hi,
>
> could you share commands that led to this error?
>
> It looks to me referenced non existent section in config file like as param "-extensions" option.
>
> Regards,
> Libor
>
>
>
> On 2020-04-06 19:43, Richard Simard wrote:
>
> Hi!
> Anybody can help me whit this error?
>
> Error Loading extension section server_cert
> 140091048477824:error:0E06D06C:configuration file routines:NCONF_get_string:no value:../crypto/conf/conf_lib.c:273:group=CA_default name=email_in_dn
> 140091048477824:error:0E06D06C:configuration file routines:NCONF_get_string:no value:../crypto/conf/conf_lib.c:273:group=CA_default name=rand_serial
> 140091048477824:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73:
> 140091048477824:error:2208306E:X509 V3 routines:policy_section:invalid object identifier:../crypto/x509v3/v3_cpols.c:183:section:Cert_policy_server,name:policyIdentifier,value:GroupeSTIAssurance, GroupeSTIDevice
> 140091048477824:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:../crypto/x509v3/v3_conf.c:47:name=certificatePolicies, value=ia5org,1.3.6.1.4.1.51063, at Cert_policy_server
>
> [ openssl_init ]
> oid_section = oids_section
>
> [ server_cert ]
> basicConstraints = CA:FALSE
> nsCertType = server
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid, issuer:always
> keyUsage = critical, digitalSignature, keyEncipherment
> extendedKeyUsage = serverAuth
> certificatePolicies = ia5org, @Cert_policy_server
> crlDistributionPoints = crl_section
>
> [ Cert_policy_server ]
> policyIdentifier = GroupeSTIAssurance, GroupeSTIDevice
> CPS.1 = http://cps.groupesti.com
>
> [ crl_section ]
> fullname = URI:http://pki.groupesti.com/ca.crl
> CRLissuer = dirName:issuer_section
> reasons = keyCompromise, CACompromise
> authorityKeyIdentifier = keyid:always
>
> [ oids_section ]
> GroupeSTIAssurance = 1.3.6.1.4.1.51063.0.1
> GroupeSTIUser = 1.3.6.1.4.1.51063.0.1.0
> GroupeSTIDevice = 1.3.6.1.4.1.51063.0.1.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 9617 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20200407/f735c67c/attachment-0001.bin>
More information about the openssl-users
mailing list