[openssl-users] EDDSA crl creation woes
Robert Moskowitz
rgm at htt-consult.com
Wed Aug 8 19:49:48 UTC 2018
Finally back on working on my EDDSA pki.
Working on beta Fedora29 which now ships with:
OpenSSL 1.1.1-pre8 (beta) FIPS 20 Jun 2018
To recap, there are challenges on hash specification. In creating
certs, I cannot have default_md line in my .cnf file, or at least for it
to = sha256. And in those commands where I had to have -md sha256 with
ecdsa, I have to have -md null. This is compared to those commands that
took -sha256 and now require nothing in the command line about the hash.
So one to crl:
openssl ca -config $dir/openssl-$intermediate.cnf \
-gencrl -out $dir/crl/$crl
Using configuration from /root/ca/intermediate/openssl-intermediate.cnf
Enter pass phrase for /root/ca/intermediate/private/intermediate.key.pem:
variable lookup failed for CA_default::default_md
3069739024:error:0E06D06C:configuration file
routines:NCONF_get_string:no
value:crypto/conf/conf_lib.c:275:group=CA_default name=default_md
In this .cnf file, there is no default_md line.
So I added -md to the command line:
openssl ca -config $dir/openssl-$intermediate.cnf -md null\
-gencrl -out $dir/crl/$crl
And that worked.
Very confusing. It would be preferable if EDDSA related generation just
ignores md values?
More information about the openssl-users
mailing list