[openssl-users] Env variables in config file to add a whole line

Robert Moskowitz rgm at htt-consult.com
Wed Sep 6 16:23:11 UTC 2017

I am trying to use an environment variable to add a whole line to the 
config file.  This is to control adding (or not providing) CRL and/or 
OCSP support.

export shows:

declare -x crlDP="crlDistributionPoints = 
declare -x default_crl_days="default_crl_days  = 30"
declare -x ocspIAI="authorityInfoAccess = 

The config file starts with:

[ ca ]
# `man ca`
default_ca = CA_default

[ CA_default ]
# Directory and file locations.
dir= $ENV::dir
cadir = $ENV::cadir
format= $ENV::format
crlDP = $ENV::crlDP
default_crl_days  = $ENV::default_crl_days
ocspIAI  = $ENV::ocspIAI

The usr_cert section has:

[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical,nonRepudiation,digitalSignature,keyEncipherment
extendedKeyUsage = clientAuth, emailProtection

Note that the line with "$crlDP" is line 123

When I run the command:

     openssl req -config $dir/openssl-intermediate.cnf       -key 
$dir/private/$serverfqdn.key.$format        -subj "$DN" -new -sha256 
-out $dir/csr/$serverfqdn.csr.$format

I get the error:

req: Error on line 123 of config file 
unable to find 'distinguished_name' in config
problems making Certificate Request
3070145488:error:0E06D06A:configuration file 
routines:NCONF_get_string:no conf or environment 

note that if I:

grep -n distinguished_name openssl-intermediate.cnf

68:distinguished_name  = req_distinguished_name
78:[ req_distinguished_name ]

So the warning about unable to find 'distinguished_name' in config

Is misleading.  The problem is more likely with line 123 which is only 
the env variable.

I can play around with this and hopefully the variables to work as

crlDistributionPoints = $crlDP

And if $crlDP is empty, it will not put an empty value into the cert.  
But why does what I have not work?



More information about the openssl-users mailing list