Need some help signing a certificate request

Michael Wojcik Michael.Wojcik at microfocus.com
Sat Aug 21 17:42:47 UTC 2021


> From: rgordey at centerprism.com <rgordey at centerprism.com>
> Sent: Saturday, 21 August, 2021 11:26
> 
> My openssl.cnf (I have tried `\` and `\\` and `/` directory separators):

Use forward slashes. Backslashes should work on Windows, but forward slashes work everywhere. I don't know that "\\" will work anywhere. 

> [ ca ]
> default_ca = testca
> 
> [ testca ]
> dir = .
> certificate = $dir\\ca_certificate.pem
> database = $dir\\index.txt

What's in index.txt? Is it a valid OpenSSL CA index file, or completely empty (zero length)?

If it's not either of those, replace it with an empty file, for example with:

copy nul index.txt

> new_certs_dir = $dir\\certs
> private_key = $dir\\private\\ca_private_key.pem

These directories exist?

> serial = $dir\\serial

This file exists? Though you really shouldn't be assigning serial numbers; you should let OpenSSL create them using the -create_serial option.

> 
> default_crl_days = 7
> default_days = 365
> default_md = sha256
> 
> policy = testca_policy
> x509_extensions = certificate_extensions
> 
> [ testca_policy ]
> commonName = supplied
> stateOrProvinceName = optional
> countryName = optional
> emailAddress = optional
> organizationName = optional
> organizationalUnitName = optional
> domainComponent = optional
> 
> [ certificate_extensions ]
> basicConstraints = CA:false
> 
> [ req ]
> default_bits = 2048
> default_keyfile = .\\private\\ca_private_key.pem
> default_md = sha256
> prompt = yes
> distinguished_name = root_ca_distinguished_name
> x509_extensions = root_ca_extensions
> 
> [ root_ca_distinguished_name ]
> commonName = hostname
> 
> [ root_ca_extensions ]
> basicConstraints = CA:true
> keyUsage = keyCertSign, cRLSign
> 
> [ client_ca_extensions ]
> basicConstraints = CA:false
> keyUsage = digitalSignature,keyEncipherment
> extendedKeyUsage = 1.3.6.1.5.5.7.3.2

Why are you specifying this by OID? Just use "extendedKeyUsage = clientAuth". (I'm assuming a reasonably recent OpenSSL version.)

> 
> [ server_ca_extensions ]
> basicConstraints = CA:false
> keyUsage = digitalSignature,keyEncipherment
> extendedKeyUsage = 1.3.6.1.5.5.7.3.1


Your command line was:

> openssl ca -config .\openssl.cnf -in ../server/req.pem -out server_certificate.pem -notext -batch -extensions server_ca_extensions

Try it without -batch and with -verbose. And again I'd recommend -create_serial, unless you have some strange requirement to control serial numbers. Browsers in particular may be unhappy if your serial numbers don't conform to the CA/BF Basic Requirements, and it's a pain trying to do that manually.

-- 
Michael Wojcik


More information about the openssl-users mailing list