Env variables in config file to add a whole line

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Env variables in config file to add a whole line

Robert Moskowitz
I am trying to use an environment variable to add a whole line to the
config file.  This is to control adding (or not providing) CRL and/or
OCSP support.

export shows:

declare -x crlDP="crlDistributionPoints =
URI:http://www.htt-consult.com/pki/intermediate.crl.pem"
declare -x default_crl_days="default_crl_days  = 30"
declare -x ocspIAI="authorityInfoAccess =
OCSP;URI:http://ocsp.htt-consult.com"

The config file starts with:


[ ca ]
# `man ca`
default_ca = CA_default

[ CA_default ]
# Directory and file locations.
dir= $ENV::dir
cadir = $ENV::cadir
format= $ENV::format
crlDP = $ENV::crlDP
default_crl_days  = $ENV::default_crl_days
ocspIAI  = $ENV::ocspIAI


The usr_cert section has:

[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical,nonRepudiation,digitalSignature,keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
$crlDP
$ocspIAI

Note that the line with "$crlDP" is line 123

When I run the command:

     openssl req -config $dir/openssl-intermediate.cnf       -key
$dir/private/$serverfqdn.key.$format        -subj "$DN" -new -sha256
-out $dir/csr/$serverfqdn.csr.$format

I get the error:

req: Error on line 123 of config file
"/home/rgm/ca/intermediate/openssl-intermediate.cnf"
unable to find 'distinguished_name' in config
problems making Certificate Request
3070145488:error:0E06D06A:configuration file
routines:NCONF_get_string:no conf or environment
variable:crypto/conf/conf_lib.c:272:

note that if I:

grep -n distinguished_name openssl-intermediate.cnf

68:distinguished_name  = req_distinguished_name
78:[ req_distinguished_name ]

So the warning about unable to find 'distinguished_name' in config

Is misleading.  The problem is more likely with line 123 which is only
the env variable.

I can play around with this and hopefully the variables to work as

crlDistributionPoints = $crlDP

And if $crlDP is empty, it will not put an empty value into the cert.  
But why does what I have not work?

thanks

Bob

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Env variables in config file to add a whole line

Robert Moskowitz
I got past the error to build the CSR by using:

crlDistributionPoints = $ENV::crlDP
authorityInfoAccess = $ENV::ocspIAI

Just $crlDP failed even though I had this defined in the [ca} section.

The CSR does not use the user_cert or server_cert.  This was 'just' a
config file syntax issue.  When I try to make the cert I get the following:

crlDP=URI:http://www.htt-consult.com/pki/intermediate.crl.pem
default_crl_days=30
ocspIAI="OCSP;URI:http://ocsp.htt-consult.com"

    openssl ca -config $dir/openssl-intermediate.cnf -days 375\
        -extensions server_cert -notext -md sha256 \
        -in $dir/csr/$serverfqdn.csr.$format\
        -out $dir/certs/$serverfqdn.cert.$format

It works.   But if I DON'T want a CRL or OCSP support and I use:

crlDP=
ocspIAI=

with the same command I get:


Error Loading extension section server_cert
3069510608:error:0E06D06C:configuration file
routines:NCONF_get_string:no
value:crypto/conf/conf_lib.c:275:group=CA_default name=email_in_dn
3069510608:error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid
null name:crypto/x509v3/v3_utl.c:316:
3069510608:error:22097069:X509 V3 routines:do_ext_nconf:invalid
extension
string:crypto/x509v3/v3_conf.c:93:name=crlDistributionPoints,section=
3069510608:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in
extension:crypto/x509v3/v3_conf.c:47:name=crlDistributionPoints, value=

So I need a way to have a 'null' value for NO CRL or NO OCSP.

I don't want to have to use SED to edit the config file based on what
the goal is...

thanks

Bob




On 09/06/2017 12:23 PM, Robert Moskowitz wrote:

> I am trying to use an environment variable to add a whole line to the
> config file.  This is to control adding (or not providing) CRL and/or
> OCSP support.
>
> export shows:
>
> declare -x crlDP="crlDistributionPoints =
> URI:http://www.htt-consult.com/pki/intermediate.crl.pem"
> declare -x default_crl_days="default_crl_days  = 30"
> declare -x ocspIAI="authorityInfoAccess =
> OCSP;URI:http://ocsp.htt-consult.com"
>
> The config file starts with:
>
>
> [ ca ]
> # `man ca`
> default_ca = CA_default
>
> [ CA_default ]
> # Directory and file locations.
> dir= $ENV::dir
> cadir = $ENV::cadir
> format= $ENV::format
> crlDP = $ENV::crlDP
> default_crl_days  = $ENV::default_crl_days
> ocspIAI  = $ENV::ocspIAI
>
>
> The usr_cert section has:
>
> [ usr_cert ]
> # Extensions for client certificates (`man x509v3_config`).
> basicConstraints = CA:FALSE
> nsCertType = client, email
> nsComment = "OpenSSL Generated Client Certificate"
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid,issuer
> keyUsage = critical,nonRepudiation,digitalSignature,keyEncipherment
> extendedKeyUsage = clientAuth, emailProtection
> $crlDP
> $ocspIAI
>
> Note that the line with "$crlDP" is line 123
>
> When I run the command:
>
>     openssl req -config $dir/openssl-intermediate.cnf       -key
> $dir/private/$serverfqdn.key.$format        -subj "$DN" -new -sha256
> -out $dir/csr/$serverfqdn.csr.$format
>
> I get the error:
>
> req: Error on line 123 of config file
> "/home/rgm/ca/intermediate/openssl-intermediate.cnf"
> unable to find 'distinguished_name' in config
> problems making Certificate Request
> 3070145488:error:0E06D06A:configuration file
> routines:NCONF_get_string:no conf or environment
> variable:crypto/conf/conf_lib.c:272:
>
> note that if I:
>
> grep -n distinguished_name openssl-intermediate.cnf
>
> 68:distinguished_name  = req_distinguished_name
> 78:[ req_distinguished_name ]
>
> So the warning about unable to find 'distinguished_name' in config
>
> Is misleading.  The problem is more likely with line 123 which is only
> the env variable.
>
> I can play around with this and hopefully the variables to work as
>
> crlDistributionPoints = $crlDP
>
> And if $crlDP is empty, it will not put an empty value into the cert.  
> But why does what I have not work?
>
> thanks
>
> Bob
>

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Env variables in config file to add a whole line

OpenSSL - User mailing list
In reply to this post by Robert Moskowitz


    $crlDP
    $ocspIAI
   

This is not supported.  You can only put variables in *values*    


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Env variables in config file to add a whole line

Robert Moskowitz


On 09/06/2017 01:31 PM, Salz, Rich via openssl-users wrote:
> …
>
>      $crlDP
>      $ocspIAI
>      
>
> This is not supported.  You can only put variables in *values*

OK.  But now I have to work out <null> values.

Bob

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Env variables in config file to add a whole line

Jakob Bohm-7
On 06/09/2017 19:34, Robert Moskowitz wrote:

>
>
> On 09/06/2017 01:31 PM, Salz, Rich via openssl-users wrote:
>> …
>>
>>      $crlDP
>>      $ocspIAI
>>
>> This is not supported.  You can only put variables in *values*
>
> OK.  But now I have to work out <null> values.
>
> Bob
>
As previously, have a set of "certificate profiles" (other CA
products name), in the form of different [foo_ext] and [policy_foo]
sections in the CA's openssl.cnf, then run "openssl ca -extensions
foo_ext -policy policy_foo ..."

Since each CA needs its own directory anyway, each CA would have its
own openssl.cnf (generated by a script that sets up the CA).

For example, "foo" could be "server" (has crl and ocsp, plus other
relevant settings), "client" (has crl and ocsp, plus different
relevant settings), "ocsp-signer" (no crl, no ocsp, short lifespan,
other relevant settings), "ecu" (has crl and ocsp, plus different
settings again), etc. etc.

Very different certificate purposes should ideally have their own
SubCA's that can be managed differently, and have the CA cert
restricted.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users