openssl ca works, but with error messages

David von Oheimb it at von-Oheimb.de
Mon May 15 18:12:16 UTC 2023 

Hi Bob, 

the below weird behavior is due to minor bugs in certain situations
where the CA app looks for config file entries like "email_in_dn" that
are not present. 
Usually these (needless) error messages get discarded, but for instance
when both "default_startdate" and "default_enddate" are given, this is
not done so far.
Fix is in https://github.com/openssl/openssl/pull/20971

 David

On Sun, 2023-05-14 at 19:23 -0400, Robert Moskowitz wrote:
> I am using:
> 
> openssl ca -config $dir/openssl-root.cnf    -extensions v3_ca
> 
> With customizations in the cnf.
> 
> The command generates the cert to sign, but on doing that (or if I say
> N) throws the errors:
> 
> Certificate is to be certified until Jun  1 00:00:00 2024 GMT (385
> days)
> Sign the certificate? [y/n]:y
> 402C4AD0637F0000:error:0700006C:configuration file 
> routines:NCONF_get_string:no 
> value:crypto/conf/conf_lib.c:315:group=CA_default name=email_in_dn
> 402C4AD0637F0000:error:0700006C:configuration file 
> routines:NCONF_get_string:no 
> value:crypto/conf/conf_lib.c:315:group=CA_default name=rand_serial
> 402C4AD0637F0000:error:0700006C:configuration file 
> routines:NCONF_get_string:no 
> value:crypto/conf/conf_lib.c:315:group=CA_default name=default_days
> 
> 
> 1 out of 1 certificate requests certified, commit? [y/n]y
> Write out database with 1 new entries
> Data Base Updated
> 
> I am using specific dates:
> 
> default_startdate = $ENV::startdate
> default_enddate   = $ENV::enddate
> 
>          Validity
>              Not Before: May  1 00:00:00 2023 GMT
>              Not After : Jun  1 00:00:00 2024 GMT
> 
> and it is getting the serial number
> 
> serial            = $dir/serial
> 
>          Serial Number:
>              98:3f:27:9d:c7:3c:69:13
> 
> And why complaining about email_in_dn?
> 
> I do get the cert out, but why these errors and what should I be doing
> about them?
> 
> thanks
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230515/402a8c7a/attachment.htm>

More information about the openssl-users mailing list