Errors on EndEntity cert generation

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Errors on EndEntity cert generation

Robert Moskowitz
The hits just keep on coming.  Made my cert req,

    openssl req -config $dir/openssl-intermediate.cnf\
        -key $dir/private/$serverfqdn.key.$format \
        -subj "$DN" -new -out $dir/csr/$serverfqdn.csr.$format

DN='/C=US/ST=MI/L=Oak Park/O=HTT Consulting'

then tried to make the cert with:

    openssl ca -config $dir/openssl-intermediate.cnf -days 375\
        -extensions server_cert -notext -md null \
        -in $dir/csr/$serverfqdn.csr.$format\
        -out $dir/certs/$serverfqdn.cert.$format

(note use of -md null and nothing got the earlier error)

Using configuration from /root/ca/intermediate/openssl-intermediate.cnf
Enter pass phrase for /root/ca/intermediate/private/intermediate.key.pem:
Error Loading extension section server_cert
3065065488:error:0E06D06C:configuration file
routines:NCONF_get_string:no
value:crypto/conf/conf_lib.c:275:group=CA_default name=email_in_dn
3065065488:error:0E06D06C:configuration file
routines:NCONF_get_string:no
value:crypto/conf/conf_lib.c:275:group=CA_default name=rand_serial
3065065488:error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid
null name:crypto/x509v3/v3_utl.c:360:
3065065488:error:22097069:X509 V3 routines:do_ext_nconf:invalid
extension
string:crypto/x509v3/v3_conf.c:93:name=crlDistributionPoints,section=
3065065488:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in
extension:crypto/x509v3/v3_conf.c:47:name=crlDistributionPoints, value=


Please help me with these latest errors.

Thanks

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Errors on EndEntity cert generation

Viktor Dukhovni


> On Jul 27, 2018, at 1:07 PM, Robert Moskowitz <[hidden email]> wrote:
>
> Error Loading extension section server_cert

> 3065065488:error:0E06D06C:configuration file routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:275:group=CA_default name=email_in_dn
> 3065065488:error:0E06D06C:configuration file routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:275:group=CA_default name=rand_serial
> 3065065488:error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid null name:crypto/x509v3/v3_utl.c:360:
> 3065065488:error:22097069:X509 V3 routines:do_ext_nconf:invalid extension string:crypto/x509v3/v3_conf.c:93:name=crlDistributionPoints,section=
> 3065065488:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:crypto/x509v3/v3_conf.c:47:name=crlDistributionPoints, value=
>
> Please help me with these latest errors.

Start with a less exotic ".cnf" file.  These are all configuration errors,
unrelated to ed25519.  Get a working RSA config file, and then switch
algorithms.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Errors on EndEntity cert generation

Robert Moskowitz


On 07/27/2018 01:14 PM, Viktor Dukhovni wrote:

>
>> On Jul 27, 2018, at 1:07 PM, Robert Moskowitz <[hidden email]> wrote:
>>
>> Error Loading extension section server_cert
>> 3065065488:error:0E06D06C:configuration file routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:275:group=CA_default name=email_in_dn
>> 3065065488:error:0E06D06C:configuration file routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:275:group=CA_default name=rand_serial
>> 3065065488:error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid null name:crypto/x509v3/v3_utl.c:360:
>> 3065065488:error:22097069:X509 V3 routines:do_ext_nconf:invalid extension string:crypto/x509v3/v3_conf.c:93:name=crlDistributionPoints,section=
>> 3065065488:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:crypto/x509v3/v3_conf.c:47:name=crlDistributionPoints, value=
>>
>> Please help me with these latest errors.
> Start with a less exotic ".cnf" file.  These are all configuration errors,
> unrelated to ed25519.  Get a working RSA config file, and then switch
> algorithms.
>
I am using a working ecdsa config file (the one in my
draft-moskowitz-ecdsa-pki):

# OpenSSL intermediate CA configuration file.
# Copy to `$dir/intermediate/openssl-intermediate.cnf`.

[ ca ]
# `man ca`
default_ca = CA_default

[ CA_default ]
# Directory and file locations.
dir= $ENV::dir
cadir = $ENV::cadir
format= $ENV::format

certs = $dir/certs
crl_dir  = $dir/crl
new_certs_dir  = $dir/newcerts
database = $dir/index.txt
serial= $dir/serial
RANDFILE = $dir/private/.rand

# The Intermediate key and Intermediate certificate.
private_key = $dir/private/intermediate.key.$format
certificate = $dir/certs/intermediate.cert.$format

# For certificate revocation lists.
crlnumber= $dir/crlnumber
crl= $dir/crl/intermediate.crl.pem
crl_extensions = crl_ext
default_crl_days  = $ENV::default_crl_days

# SHA-1 is deprecated, so use SHA-2 instead.
# default_md  = sha256

name_opt = ca_default
cert_opt = ca_default
default_days= 375
preserve = no
policy= policy_loose
copy_extensions= copy

[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = match
stateOrProvinceName  = match
organizationName  = match
organizationalUnitName  = optional
commonName  = optional

[ policy_loose ]
# Allow the intermediate CA to sign a more
#  diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName  = optional
localityName= optional
organizationName  = optional
organizationalUnitName  = optional
commonName  = optional
UID= optional

[ req ]
# Options for the `req` tool (`man req`).
default_bits  = 2048
distinguished_name  = req_distinguished_name
string_mask= utf8only
req_extensions= req_ext

# SHA-1 is deprecated, so use SHA-2 instead.
# default_md = sha256

# Extension to add when the -x509 option is used.
x509_extensions  = v3_ca

[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName= Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName  = Locality Name
0.organizationName  = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
UID  = User ID

# Optionally, specify some defaults.
# countryName_default = US
# stateOrProvinceName_default  = MI
# localityName_default= Oak Park
# 0.organizationName_default= HTT Consulting
# organizationalUnitName_default  =

[ req_ext ]
subjectAltName = $ENV::subjectAltName

[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
# keyUsage = critical, digitalSignature, cRLSign, keyCertSign
keyUsage = critical, cRLSign, keyCertSign

[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
# keyUsage = critical, digitalSignature, cRLSign, keyCertSign
keyUsage = critical, cRLSign, keyCertSign

[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical,nonRepudiation,digitalSignature,keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
crlDistributionPoints = $ENV::crlDP
authorityInfoAccess = $ENV::ocspIAI

[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
crlDistributionPoints = $ENV::crlDP
authorityInfoAccess = $ENV::ocspIAI

[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always

[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Errors on EndEntity cert generation

Viktor Dukhovni
On Jul 27, 2018, at 1:20 PM, Robert Moskowitz <[hidden email]> wrote:

>
> On 07/27/2018 01:14 PM, Viktor Dukhovni wrote:
>>
>>> On Jul 27, 2018, at 1:07 PM, Robert Moskowitz <[hidden email]> wrote:
>>>
>>> Error Loading extension section server_cert
>>> 3065065488:error:0E06D06C:configuration file routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:275:group=CA_default name=email_in_dn
>>> 3065065488:error:0E06D06C:configuration file routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:275:group=CA_default name=rand_serial
>>> 3065065488:error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid null name:crypto/x509v3/v3_utl.c:360:
>>> 3065065488:error:22097069:X509 V3 routines:do_ext_nconf:invalid extension string:crypto/x509v3/v3_conf.c:93:name=crlDistributionPoints,section=
>>> 3065065488:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:crypto/x509v3/v3_conf.c:47:name=crlDistributionPoints, value=
>>>
>>> Please help me with these latest errors.
>> Start with a less exotic ".cnf" file.  These are all configuration errors,
>> unrelated to ed25519.  Get a working RSA config file, and then switch
>> algorithms.
>>
> I am using a working ecdsa config file

It is a good idea to read that file and match the error messages
to the file content.  You'll quickly find a bunch of $ENV:: settings
that must yield non-empty results, but you (surely) don't have those
environment variables set...  There are perhaps other issues.

> (the one in my draft-moskowitz-ecdsa-pki):
>
> # OpenSSL intermediate CA configuration file.
> # Copy to `$dir/intermediate/openssl-intermediate.cnf`.
>
> [ ca ]
> # `man ca`
> default_ca = CA_default
>
> [ CA_default ]
> # Directory and file locations.
> dir= $ENV::dir
> cadir = $ENV::cadir
> format= $ENV::format
>
> certs = $dir/certs
> crl_dir  = $dir/crl
> new_certs_dir  = $dir/newcerts
> database = $dir/index.txt
> serial= $dir/serial
> RANDFILE = $dir/private/.rand
>
> # The Intermediate key and Intermediate certificate.
> private_key = $dir/private/intermediate.key.$format
> certificate = $dir/certs/intermediate.cert.$format
>
> # For certificate revocation lists.
> crlnumber= $dir/crlnumber
> crl= $dir/crl/intermediate.crl.pem
> crl_extensions = crl_ext
> default_crl_days  = $ENV::default_crl_days
>
> # SHA-1 is deprecated, so use SHA-2 instead.
> # default_md  = sha256
>
> name_opt = ca_default
> cert_opt = ca_default
> default_days= 375
> preserve = no
> policy= policy_loose
> copy_extensions= copy
>
> [ policy_strict ]
> # The root CA should only sign intermediate certificates that match.
> # See the POLICY FORMAT section of `man ca`.
> countryName = match
> stateOrProvinceName  = match
> organizationName  = match
> organizationalUnitName  = optional
> commonName  = optional
>
> [ policy_loose ]
> # Allow the intermediate CA to sign a more
> #  diverse range of certificates.
> # See the POLICY FORMAT section of the `ca` man page.
> countryName = optional
> stateOrProvinceName  = optional
> localityName= optional
> organizationName  = optional
> organizationalUnitName  = optional
> commonName  = optional
> UID= optional
>
> [ req ]
> # Options for the `req` tool (`man req`).
> default_bits  = 2048
> distinguished_name  = req_distinguished_name
> string_mask= utf8only
> req_extensions= req_ext
>
> # SHA-1 is deprecated, so use SHA-2 instead.
> # default_md = sha256
>
> # Extension to add when the -x509 option is used.
> x509_extensions  = v3_ca
>
> [ req_distinguished_name ]
> # See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
> countryName= Country Name (2 letter code)
> stateOrProvinceName = State or Province Name
> localityName  = Locality Name
> 0.organizationName  = Organization Name
> organizationalUnitName = Organizational Unit Name
> commonName = Common Name
> UID  = User ID
>
> # Optionally, specify some defaults.
> # countryName_default = US
> # stateOrProvinceName_default  = MI
> # localityName_default= Oak Park
> # 0.organizationName_default= HTT Consulting
> # organizationalUnitName_default  =
>
> [ req_ext ]
> subjectAltName = $ENV::subjectAltName
>
> [ v3_ca ]
> # Extensions for a typical CA (`man x509v3_config`).
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid:always,issuer
> basicConstraints = critical, CA:true
> # keyUsage = critical, digitalSignature, cRLSign, keyCertSign
> keyUsage = critical, cRLSign, keyCertSign
>
> [ v3_intermediate_ca ]
> # Extensions for a typical intermediate CA (`man x509v3_config`).
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid:always,issuer
> basicConstraints = critical, CA:true, pathlen:0
> # keyUsage = critical, digitalSignature, cRLSign, keyCertSign
> keyUsage = critical, cRLSign, keyCertSign
>
> [ usr_cert ]
> # Extensions for client certificates (`man x509v3_config`).
> basicConstraints = CA:FALSE
> nsCertType = client, email
> nsComment = "OpenSSL Generated Client Certificate"
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid,issuer
> keyUsage = critical,nonRepudiation,digitalSignature,keyEncipherment
> extendedKeyUsage = clientAuth, emailProtection
> crlDistributionPoints = $ENV::crlDP
> authorityInfoAccess = $ENV::ocspIAI
>
> [ server_cert ]
> # Extensions for server certificates (`man x509v3_config`).
> basicConstraints = CA:FALSE
> nsCertType = server
> nsComment = "OpenSSL Generated Server Certificate"
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid,issuer:always
> keyUsage = critical, digitalSignature, keyEncipherment
> extendedKeyUsage = serverAuth
> crlDistributionPoints = $ENV::crlDP
> authorityInfoAccess = $ENV::ocspIAI
>
> [ crl_ext ]
> # Extension for CRLs (`man x509v3_config`).
> authorityKeyIdentifier=keyid:always
>
> [ ocsp ]
> # Extension for OCSP signing certificates (`man ocsp`).
> basicConstraints = CA:FALSE
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid,issuer
> keyUsage = critical, digitalSignature
> extendedKeyUsage = critical, OCSPSigning

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Errors on EndEntity cert generation

Robert Moskowitz


On 07/27/2018 01:26 PM, Viktor Dukhovni wrote:

> On Jul 27, 2018, at 1:20 PM, Robert Moskowitz <[hidden email]> wrote:
>> On 07/27/2018 01:14 PM, Viktor Dukhovni wrote:
>>>> On Jul 27, 2018, at 1:07 PM, Robert Moskowitz <[hidden email]> wrote:
>>>>
>>>> Error Loading extension section server_cert
>>>> 3065065488:error:0E06D06C:configuration file routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:275:group=CA_default name=email_in_dn
>>>> 3065065488:error:0E06D06C:configuration file routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:275:group=CA_default name=rand_serial
>>>> 3065065488:error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid null name:crypto/x509v3/v3_utl.c:360:
>>>> 3065065488:error:22097069:X509 V3 routines:do_ext_nconf:invalid extension string:crypto/x509v3/v3_conf.c:93:name=crlDistributionPoints,section=
>>>> 3065065488:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:crypto/x509v3/v3_conf.c:47:name=crlDistributionPoints, value=
>>>>
>>>> Please help me with these latest errors.
>>> Start with a less exotic ".cnf" file.  These are all configuration errors,
>>> unrelated to ed25519.  Get a working RSA config file, and then switch
>>> algorithms.
>>>
>> I am using a working ecdsa config file
> It is a good idea to read that file and match the error messages
> to the file content.  You'll quickly find a bunch of $ENV:: settings
> that must yield non-empty results, but you (surely) don't have those
> environment variables set...  There are perhaps other issues.

I read those messages and got stuck on the first and did not catch the
last 2.  My procedure did not set ocspIAI and crlDP.  :(

Even though my write up says to make sure to do this!  Sigh.

Got my EE server cert.  Onwards!

>
>> (the one in my draft-moskowitz-ecdsa-pki):
>>
>> # OpenSSL intermediate CA configuration file.
>> # Copy to `$dir/intermediate/openssl-intermediate.cnf`.
>>
>> [ ca ]
>> # `man ca`
>> default_ca = CA_default
>>
>> [ CA_default ]
>> # Directory and file locations.
>> dir= $ENV::dir
>> cadir = $ENV::cadir
>> format= $ENV::format
>>
>> certs = $dir/certs
>> crl_dir  = $dir/crl
>> new_certs_dir  = $dir/newcerts
>> database = $dir/index.txt
>> serial= $dir/serial
>> RANDFILE = $dir/private/.rand
>>
>> # The Intermediate key and Intermediate certificate.
>> private_key = $dir/private/intermediate.key.$format
>> certificate = $dir/certs/intermediate.cert.$format
>>
>> # For certificate revocation lists.
>> crlnumber= $dir/crlnumber
>> crl= $dir/crl/intermediate.crl.pem
>> crl_extensions = crl_ext
>> default_crl_days  = $ENV::default_crl_days
>>
>> # SHA-1 is deprecated, so use SHA-2 instead.
>> # default_md  = sha256
>>
>> name_opt = ca_default
>> cert_opt = ca_default
>> default_days= 375
>> preserve = no
>> policy= policy_loose
>> copy_extensions= copy
>>
>> [ policy_strict ]
>> # The root CA should only sign intermediate certificates that match.
>> # See the POLICY FORMAT section of `man ca`.
>> countryName = match
>> stateOrProvinceName  = match
>> organizationName  = match
>> organizationalUnitName  = optional
>> commonName  = optional
>>
>> [ policy_loose ]
>> # Allow the intermediate CA to sign a more
>> #  diverse range of certificates.
>> # See the POLICY FORMAT section of the `ca` man page.
>> countryName = optional
>> stateOrProvinceName  = optional
>> localityName= optional
>> organizationName  = optional
>> organizationalUnitName  = optional
>> commonName  = optional
>> UID= optional
>>
>> [ req ]
>> # Options for the `req` tool (`man req`).
>> default_bits  = 2048
>> distinguished_name  = req_distinguished_name
>> string_mask= utf8only
>> req_extensions= req_ext
>>
>> # SHA-1 is deprecated, so use SHA-2 instead.
>> # default_md = sha256
>>
>> # Extension to add when the -x509 option is used.
>> x509_extensions  = v3_ca
>>
>> [ req_distinguished_name ]
>> # See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
>> countryName= Country Name (2 letter code)
>> stateOrProvinceName = State or Province Name
>> localityName  = Locality Name
>> 0.organizationName  = Organization Name
>> organizationalUnitName = Organizational Unit Name
>> commonName = Common Name
>> UID  = User ID
>>
>> # Optionally, specify some defaults.
>> # countryName_default = US
>> # stateOrProvinceName_default  = MI
>> # localityName_default= Oak Park
>> # 0.organizationName_default= HTT Consulting
>> # organizationalUnitName_default  =
>>
>> [ req_ext ]
>> subjectAltName = $ENV::subjectAltName
>>
>> [ v3_ca ]
>> # Extensions for a typical CA (`man x509v3_config`).
>> subjectKeyIdentifier = hash
>> authorityKeyIdentifier = keyid:always,issuer
>> basicConstraints = critical, CA:true
>> # keyUsage = critical, digitalSignature, cRLSign, keyCertSign
>> keyUsage = critical, cRLSign, keyCertSign
>>
>> [ v3_intermediate_ca ]
>> # Extensions for a typical intermediate CA (`man x509v3_config`).
>> subjectKeyIdentifier = hash
>> authorityKeyIdentifier = keyid:always,issuer
>> basicConstraints = critical, CA:true, pathlen:0
>> # keyUsage = critical, digitalSignature, cRLSign, keyCertSign
>> keyUsage = critical, cRLSign, keyCertSign
>>
>> [ usr_cert ]
>> # Extensions for client certificates (`man x509v3_config`).
>> basicConstraints = CA:FALSE
>> nsCertType = client, email
>> nsComment = "OpenSSL Generated Client Certificate"
>> subjectKeyIdentifier = hash
>> authorityKeyIdentifier = keyid,issuer
>> keyUsage = critical,nonRepudiation,digitalSignature,keyEncipherment
>> extendedKeyUsage = clientAuth, emailProtection
>> crlDistributionPoints = $ENV::crlDP
>> authorityInfoAccess = $ENV::ocspIAI
>>
>> [ server_cert ]
>> # Extensions for server certificates (`man x509v3_config`).
>> basicConstraints = CA:FALSE
>> nsCertType = server
>> nsComment = "OpenSSL Generated Server Certificate"
>> subjectKeyIdentifier = hash
>> authorityKeyIdentifier = keyid,issuer:always
>> keyUsage = critical, digitalSignature, keyEncipherment
>> extendedKeyUsage = serverAuth
>> crlDistributionPoints = $ENV::crlDP
>> authorityInfoAccess = $ENV::ocspIAI
>>
>> [ crl_ext ]
>> # Extension for CRLs (`man x509v3_config`).
>> authorityKeyIdentifier=keyid:always
>>
>> [ ocsp ]
>> # Extension for OCSP signing certificates (`man ocsp`).
>> basicConstraints = CA:FALSE
>> subjectKeyIdentifier = hash
>> authorityKeyIdentifier = keyid,issuer
>> keyUsage = critical, digitalSignature
>> extendedKeyUsage = critical, OCSPSigning

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users