[openssl-users] Errors on EndEntity cert generation

Robert Moskowitz rgm at htt-consult.com
Fri Jul 27 17:20:29 UTC 2018 


On 07/27/2018 01:14 PM, Viktor Dukhovni wrote:
>
>> On Jul 27, 2018, at 1:07 PM, Robert Moskowitz <rgm at htt-consult.com> wrote:
>>
>> Error Loading extension section server_cert
>> 3065065488:error:0E06D06C:configuration file routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:275:group=CA_default name=email_in_dn
>> 3065065488:error:0E06D06C:configuration file routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:275:group=CA_default name=rand_serial
>> 3065065488:error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid null name:crypto/x509v3/v3_utl.c:360:
>> 3065065488:error:22097069:X509 V3 routines:do_ext_nconf:invalid extension string:crypto/x509v3/v3_conf.c:93:name=crlDistributionPoints,section=
>> 3065065488:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:crypto/x509v3/v3_conf.c:47:name=crlDistributionPoints, value=
>>
>> Please help me with these latest errors.
> Start with a less exotic ".cnf" file.  These are all configuration errors,
> unrelated to ed25519.  Get a working RSA config file, and then switch
> algorithms.
>
I am using a working ecdsa config file (the one in my 
draft-moskowitz-ecdsa-pki):

# OpenSSL intermediate CA configuration file.
# Copy to `$dir/intermediate/openssl-intermediate.cnf`.

[ ca ]
# `man ca`
default_ca = CA_default

[ CA_default ]
# Directory and file locations.
dir= $ENV::dir
cadir = $ENV::cadir
format= $ENV::format

certs = $dir/certs
crl_dir  = $dir/crl
new_certs_dir  = $dir/newcerts
database = $dir/index.txt
serial= $dir/serial
RANDFILE = $dir/private/.rand

# The Intermediate key and Intermediate certificate.
private_key = $dir/private/intermediate.key.$format
certificate = $dir/certs/intermediate.cert.$format

# For certificate revocation lists.
crlnumber= $dir/crlnumber
crl= $dir/crl/intermediate.crl.pem
crl_extensions = crl_ext
default_crl_days  = $ENV::default_crl_days

# SHA-1 is deprecated, so use SHA-2 instead.
# default_md  = sha256

name_opt = ca_default
cert_opt = ca_default
default_days= 375
preserve = no
policy= policy_loose
copy_extensions= copy

[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = match
stateOrProvinceName  = match
organizationName  = match
organizationalUnitName  = optional
commonName  = optional

[ policy_loose ]
# Allow the intermediate CA to sign a more
#  diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName  = optional
localityName= optional
organizationName  = optional
organizationalUnitName  = optional
commonName  = optional
UID= optional

[ req ]
# Options for the `req` tool (`man req`).
default_bits  = 2048
distinguished_name  = req_distinguished_name
string_mask= utf8only
req_extensions= req_ext

# SHA-1 is deprecated, so use SHA-2 instead.
# default_md = sha256

# Extension to add when the -x509 option is used.
x509_extensions  = v3_ca

[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName= Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName  = Locality Name
0.organizationName  = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
UID  = User ID

# Optionally, specify some defaults.
# countryName_default = US
# stateOrProvinceName_default  = MI
# localityName_default= Oak Park
# 0.organizationName_default= HTT Consulting
# organizationalUnitName_default  =

[ req_ext ]
subjectAltName = $ENV::subjectAltName

[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
# keyUsage = critical, digitalSignature, cRLSign, keyCertSign
keyUsage = critical, cRLSign, keyCertSign

[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
# keyUsage = critical, digitalSignature, cRLSign, keyCertSign
keyUsage = critical, cRLSign, keyCertSign

[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical,nonRepudiation,digitalSignature,keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
crlDistributionPoints = $ENV::crlDP
authorityInfoAccess = $ENV::ocspIAI

[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
crlDistributionPoints = $ENV::crlDP
authorityInfoAccess = $ENV::ocspIAI

[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always

[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning

More information about the openssl-users mailing list