[openssl-users] EDDSA crl creation woes
Matt Caswell
matt at openssl.org
Thu Aug 9 13:34:42 UTC 2018
On 08/08/18 20:49, Robert Moskowitz wrote:
> Finally back on working on my EDDSA pki.
>
> Working on beta Fedora29 which now ships with:
>
> OpenSSL 1.1.1-pre8 (beta) FIPS 20 Jun 2018
>
>
> To recap, there are challenges on hash specification. In creating
> certs, I cannot have default_md line in my .cnf file, or at least for it
> to = sha256. And in those commands where I had to have -md sha256 with
> ecdsa, I have to have -md null. This is compared to those commands that
> took -sha256 and now require nothing in the command line about the hash.
>
> So one to crl:
>
> openssl ca -config $dir/openssl-$intermediate.cnf \
> -gencrl -out $dir/crl/$crl
>
> Using configuration from /root/ca/intermediate/openssl-intermediate.cnf
> Enter pass phrase for /root/ca/intermediate/private/intermediate.key.pem:
> variable lookup failed for CA_default::default_md
> 3069739024:error:0E06D06C:configuration file
> routines:NCONF_get_string:no
> value:crypto/conf/conf_lib.c:275:group=CA_default name=default_md
>
> In this .cnf file, there is no default_md line.
>
> So I added -md to the command line:
>
> openssl ca -config $dir/openssl-$intermediate.cnf -md null\
> -gencrl -out $dir/crl/$crl
>
> And that worked.
>
> Very confusing. It would be preferable if EDDSA related generation just
> ignores md values?
>
>
I've just created PR 6901 that will hopefully improve things. This
basically ignores any -md or default_md setting if EdDSA is in use.
https://github.com/openssl/openssl/pull/6901
Matt
More information about the openssl-users
mailing list