[openssl-users] EDDSA crl creation woes

Robert Moskowitz rgm at htt-consult.com
Wed Aug 8 19:49:48 UTC 2018

Finally back on working on my EDDSA pki.

Working on beta Fedora29 which now ships with:

OpenSSL 1.1.1-pre8 (beta) FIPS 20 Jun 2018

To recap, there are challenges on hash specification.  In creating 
certs, I cannot have default_md line in my .cnf file, or at least for it 
to = sha256.  And in those commands where I had to have -md sha256 with 
ecdsa, I have to have -md null.  This is compared to those commands that 
took -sha256 and now require nothing in the command line about the hash.

So one to crl:

    openssl ca -config $dir/openssl-$intermediate.cnf \
          -gencrl -out $dir/crl/$crl

Using configuration from /root/ca/intermediate/openssl-intermediate.cnf
Enter pass phrase for /root/ca/intermediate/private/intermediate.key.pem:
variable lookup failed for CA_default::default_md
3069739024:error:0E06D06C:configuration file 
value:crypto/conf/conf_lib.c:275:group=CA_default name=default_md

In this .cnf file, there is no default_md line.

So I added -md to the command line:

    openssl ca -config $dir/openssl-$intermediate.cnf -md null\
          -gencrl -out $dir/crl/$crl

And that worked.

Very confusing.  It would be preferable if EDDSA related generation just 
ignores md values?

More information about the openssl-users mailing list