Help request
Richard Simard
richard.simard at groupesti.com
Fri Apr 16 16:27:23 UTC 2021
When I try to sign a certificate, I get this message and yet the certificate and the key match
Someone can help me?
Tank You!
Richard Simard
root at PKI:/# /usr/bin/openssl ca -selfsign -config /etc/root-ca.conf -in /ca/network-ca/csr/network-ca.csr -out /ca/network-ca/crt/network-ca.crt -extensions intermediate_ca_ext -startdate 20210101000000Z -enddate 20311231235959Z
Using configuration from /etc/root-ca.conf
Enter pass phrase for ./ca/root-ca/key/root-ca.key: ************
Check that the request matches the signature
Certificate request and CA private key do not match
root at PKI:/#
root at PKI:/# /usr/bin/openssl x509 -in /ca/root-ca/crt/root-ca.crt -noout -modulus | openssl md5
(stdin)= 53db1fd33d0df01c23fc588bab1697e3
root at PKI:/# /usr/bin/openssl rsa -in /ca/root-ca/key/root-ca.key -noout -modulus | openssl md5
Enter pass phrase for /ca/root-ca/key/root-ca.key: ************
(stdin)= 53db1fd33d0df01c23fc588bab1697e3
root at PKI:/# /usr/bin/openssl req -in /ca/root-ca/csr/root-ca.csr -noout -modulus | openssl md5
(stdin)= 53db1fd33d0df01c23fc588bab1697e3
root at PKI:/#
root-ca.conf :
[ default ]
ca = root-ca
dir = .
base_url = http://pki.groupesti.com
crl_url = http://crl.groupesti.com
ocsp_url = http://ocsp.groupesti.com
cps_url = http://cps.groupesti.com
aia_url = $base_url/$ca.cer
crl_url = $crl_url/$ca.crl
name_opt = multiline, -esc_msb, utf8
openssl_conf = openssl_init
[ root_ca ]
certificate = $dir/ca/$ca/crt/$ca.crt
private_key = $dir/ca/$ca/key/$ca.key
new_certs_dir = $dir/ca/$ca/newcrt
serial = $dir/ca/$ca/db/$ca.crt.srl
crlnumber = $dir/ca/$ca/db/$ca.crl.srl
database = $dir/ca/$ca/db/$ca.db
unique_subject = no
default_days = 3652
default_md = sha512
policy = match_pol
email_in_dn = no
preserve = no
name_opt = $name_opt
cert_opt = ca_default
copy_extensions = none
x509_extensions = intermediate_ca_ext
default_crl_days = 30
crl_extensions = crl_ext
[ intermediate_ca_ext ]
keyUsage = critical, keyCertSign, cRLSign
basicConstraints = critical, CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
authorityInfoAccess = @issuer_info
crlDistributionPoints = @crl_info
certificatePolicies = @policy_intermediate_ca_ext
MsCaV = DER:02:01:02
network-ca.conf:
[ default ]
ca = network-ca
dir = .
base_url = http://pki.groupesti.com
crl_url = http://crl.groupesti.com
ocsp_url = http://ocsp.groupesti.com
cps_url = http://cps.groupesti.com
aia_url = $base_url/$ca.cer
crl_url = $crl_url/$ca.crl
name_opt = multiline, -esc_msb, utf8
openssl_conf = openssl_init
[ req ]
default_bits = 8192
encrypt_key = yes
default_md = sha512
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = ca_dn
req_extensions = ca_reqext
string_mask = MASK:0x2002
[ network_ca ]
certificate = $dir/ca/$ca/crt/$ca.crt
private_key = $dir/ca/$ca/key/$ca.key
new_certs_dir = $dir/ca/$ca/newcrt
serial = $dir/ca/$ca/db/$ca.crt.srl
crlnumber = $dir/ca/$ca/db/$ca.crl.srl
database = $dir/ca/$ca/db/$ca.db
unique_subject = no
default_days = 3652
default_md = sha512
policy = match_pol
email_in_dn = no
preserve = no
name_opt = $name_opt
cert_opt = ca_default
copy_extensions = none
x509_extensions = signing_ca_ext
default_crl_days = 1
crl_extensions = crl_ext
More information about the openssl-users
mailing list