URI with commas in crlDistributionPoints

Andrew andrew1193 at aim.com
Tue Jan 5 00:42:27 UTC 2021


I'm following a procedure for generating an offline CA for use with Microsoft
Active Directory Certificate Services for my own internal use, with instructions
available here:

https://www.altaro.com/hyper-v/wsl-offline-root-certificate-authority-windows-pki/

I am, however, using a different computer with OpenSSL 1.1.1i for root CA key
generation and intermediate CA signing, not WSL.

I'm trying to sign the intermediate certificate, but I get this error:

$ openssl ca -batch -in subca.req -extensions v3_subca -config ca.conf

Using configuration from ca.conf
Error Loading extension section v3_subca
4583112192:error:22075075:X509 V3 routines:v2i_GENERAL_NAME_ex:unsupported 
option:crypto/x509v3/v3_alt.c:548:name=crlDistributionPoints
4583112192:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in 
extension:crypto/x509v3/v3_conf.c:47:name=crlDistributionPoints, value=@crl_section

This is the contents of ca.conf. I have removed the full pathnames in
[ CA_default ] and my actual domain for privacy:

---------------
rootcaname=Domain Root Certification Authority

rootcaissuerssite=ldap:///CN=Domain Root Certification 
Authority,CN=Certification Authorities,CN=Public Key 
Services,CN=Services,CN=Configuration,DC=ad,DC=domain,DC=local?cACertificate

rootcrldistributionpoint=ldap:///CN=Domain Root Certification 
Authority,CN=DC,CN=CDP,CN=Public Key 
Services,CN=Services,CN=Configuration,DC=ad,DC=domain,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint

[ ca ]
default_ca = CA_default

[ CA_default ]
dir = /ca
certs = /ca/certs
crl_dir = /ca/crl
database = /ca/index.txt
new_certs_dir = /ca/certs
certificate = /ca/ca.crt
serial = /ca/serial
crlnumber = /ca/crlnumber
crl = /ca/crl/$rootcaname.crl
crl_extensions = crl_ext
private_key = /ca/ca.key
#RANDFILE = /ca/.rand
name_opt = ca_default
cert_opt = ca_default
default_days = 1825
default_crl_days = 365
default_md = sha256
preserve = no
policy = policy_match
email_in_dn = no
rand_serial = yes

[ policy_match ]
commonName = supplied

[ req ]
default_bits = 3072
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
string_mask = utf8only

[ req_distinguished_name ]
commonName = Domain Intermediate Certification Authority
commonName_max = 64

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints=critical,CA:true
keyUsage=critical,digitalSignature,cRLSign,keyCertSign

[ v3_subca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints=critical,CA:true
keyUsage=critical,digitalSignature,cRLSign,keyCertSign
authorityInfoAccess = @v3_root_aia
crlDistributionPoints = @crl_section

[ v3_root_aia ]
caIssuers;URI=$rootcaissuerssite
#OCSP;URI=$rootocspsite

[ crl_ext ]
authorityKeyIdentifier=keyid:always
issuerAltName=issuer:copy

[crl_section]
crlDistributionPoints = URI:$rootcrldistributionpoint
---------------

I think the problem is with the commas in the URI I want to use for 
crlDistributionPoints:

ldap:///CN=Domain Root Certification Authority,CN=DC,CN=CDP,CN=Public Key 
Services,CN=Services,CN=Configuration,DC=ad,DC=domain,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint

How can I properly include this URI in the certificate?

Thanks!


More information about the openssl-users mailing list