[openssl-users] Errors on EndEntity cert generation

Robert Moskowitz rgm at htt-consult.com
Fri Jul 27 19:06:17 UTC 2018 


On 07/27/2018 01:26 PM, Viktor Dukhovni wrote:
> On Jul 27, 2018, at 1:20 PM, Robert Moskowitz <rgm at htt-consult.com> wrote:
>> On 07/27/2018 01:14 PM, Viktor Dukhovni wrote:
>>>> On Jul 27, 2018, at 1:07 PM, Robert Moskowitz <rgm at htt-consult.com> wrote:
>>>>
>>>> Error Loading extension section server_cert
>>>> 3065065488:error:0E06D06C:configuration file routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:275:group=CA_default name=email_in_dn
>>>> 3065065488:error:0E06D06C:configuration file routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:275:group=CA_default name=rand_serial
>>>> 3065065488:error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid null name:crypto/x509v3/v3_utl.c:360:
>>>> 3065065488:error:22097069:X509 V3 routines:do_ext_nconf:invalid extension string:crypto/x509v3/v3_conf.c:93:name=crlDistributionPoints,section=
>>>> 3065065488:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:crypto/x509v3/v3_conf.c:47:name=crlDistributionPoints, value=
>>>>
>>>> Please help me with these latest errors.
>>> Start with a less exotic ".cnf" file.  These are all configuration errors,
>>> unrelated to ed25519.  Get a working RSA config file, and then switch
>>> algorithms.
>>>
>> I am using a working ecdsa config file
> It is a good idea to read that file and match the error messages
> to the file content.  You'll quickly find a bunch of $ENV:: settings
> that must yield non-empty results, but you (surely) don't have those
> environment variables set...  There are perhaps other issues.

I read those messages and got stuck on the first and did not catch the 
last 2.  My procedure did not set ocspIAI and crlDP.  :(

Even though my write up says to make sure to do this!  Sigh.

Got my EE server cert.  Onwards!

>
>> (the one in my draft-moskowitz-ecdsa-pki):
>>
>> # OpenSSL intermediate CA configuration file.
>> # Copy to `$dir/intermediate/openssl-intermediate.cnf`.
>>
>> [ ca ]
>> # `man ca`
>> default_ca = CA_default
>>
>> [ CA_default ]
>> # Directory and file locations.
>> dir= $ENV::dir
>> cadir = $ENV::cadir
>> format= $ENV::format
>>
>> certs = $dir/certs
>> crl_dir  = $dir/crl
>> new_certs_dir  = $dir/newcerts
>> database = $dir/index.txt
>> serial= $dir/serial
>> RANDFILE = $dir/private/.rand
>>
>> # The Intermediate key and Intermediate certificate.
>> private_key = $dir/private/intermediate.key.$format
>> certificate = $dir/certs/intermediate.cert.$format
>>
>> # For certificate revocation lists.
>> crlnumber= $dir/crlnumber
>> crl= $dir/crl/intermediate.crl.pem
>> crl_extensions = crl_ext
>> default_crl_days  = $ENV::default_crl_days
>>
>> # SHA-1 is deprecated, so use SHA-2 instead.
>> # default_md  = sha256
>>
>> name_opt = ca_default
>> cert_opt = ca_default
>> default_days= 375
>> preserve = no
>> policy= policy_loose
>> copy_extensions= copy
>>
>> [ policy_strict ]
>> # The root CA should only sign intermediate certificates that match.
>> # See the POLICY FORMAT section of `man ca`.
>> countryName = match
>> stateOrProvinceName  = match
>> organizationName  = match
>> organizationalUnitName  = optional
>> commonName  = optional
>>
>> [ policy_loose ]
>> # Allow the intermediate CA to sign a more
>> #  diverse range of certificates.
>> # See the POLICY FORMAT section of the `ca` man page.
>> countryName = optional
>> stateOrProvinceName  = optional
>> localityName= optional
>> organizationName  = optional
>> organizationalUnitName  = optional
>> commonName  = optional
>> UID= optional
>>
>> [ req ]
>> # Options for the `req` tool (`man req`).
>> default_bits  = 2048
>> distinguished_name  = req_distinguished_name
>> string_mask= utf8only
>> req_extensions= req_ext
>>
>> # SHA-1 is deprecated, so use SHA-2 instead.
>> # default_md = sha256
>>
>> # Extension to add when the -x509 option is used.
>> x509_extensions  = v3_ca
>>
>> [ req_distinguished_name ]
>> # See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
>> countryName= Country Name (2 letter code)
>> stateOrProvinceName = State or Province Name
>> localityName  = Locality Name
>> 0.organizationName  = Organization Name
>> organizationalUnitName = Organizational Unit Name
>> commonName = Common Name
>> UID  = User ID
>>
>> # Optionally, specify some defaults.
>> # countryName_default = US
>> # stateOrProvinceName_default  = MI
>> # localityName_default= Oak Park
>> # 0.organizationName_default= HTT Consulting
>> # organizationalUnitName_default  =
>>
>> [ req_ext ]
>> subjectAltName = $ENV::subjectAltName
>>
>> [ v3_ca ]
>> # Extensions for a typical CA (`man x509v3_config`).
>> subjectKeyIdentifier = hash
>> authorityKeyIdentifier = keyid:always,issuer
>> basicConstraints = critical, CA:true
>> # keyUsage = critical, digitalSignature, cRLSign, keyCertSign
>> keyUsage = critical, cRLSign, keyCertSign
>>
>> [ v3_intermediate_ca ]
>> # Extensions for a typical intermediate CA (`man x509v3_config`).
>> subjectKeyIdentifier = hash
>> authorityKeyIdentifier = keyid:always,issuer
>> basicConstraints = critical, CA:true, pathlen:0
>> # keyUsage = critical, digitalSignature, cRLSign, keyCertSign
>> keyUsage = critical, cRLSign, keyCertSign
>>
>> [ usr_cert ]
>> # Extensions for client certificates (`man x509v3_config`).
>> basicConstraints = CA:FALSE
>> nsCertType = client, email
>> nsComment = "OpenSSL Generated Client Certificate"
>> subjectKeyIdentifier = hash
>> authorityKeyIdentifier = keyid,issuer
>> keyUsage = critical,nonRepudiation,digitalSignature,keyEncipherment
>> extendedKeyUsage = clientAuth, emailProtection
>> crlDistributionPoints = $ENV::crlDP
>> authorityInfoAccess = $ENV::ocspIAI
>>
>> [ server_cert ]
>> # Extensions for server certificates (`man x509v3_config`).
>> basicConstraints = CA:FALSE
>> nsCertType = server
>> nsComment = "OpenSSL Generated Server Certificate"
>> subjectKeyIdentifier = hash
>> authorityKeyIdentifier = keyid,issuer:always
>> keyUsage = critical, digitalSignature, keyEncipherment
>> extendedKeyUsage = serverAuth
>> crlDistributionPoints = $ENV::crlDP
>> authorityInfoAccess = $ENV::ocspIAI
>>
>> [ crl_ext ]
>> # Extension for CRLs (`man x509v3_config`).
>> authorityKeyIdentifier=keyid:always
>>
>> [ ocsp ]
>> # Extension for OCSP signing certificates (`man ocsp`).
>> basicConstraints = CA:FALSE
>> subjectKeyIdentifier = hash
>> authorityKeyIdentifier = keyid,issuer
>> keyUsage = critical, digitalSignature
>> extendedKeyUsage = critical, OCSPSigning

More information about the openssl-users mailing list