verbosity of `openssl ca` error

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

verbosity of `openssl ca` error

Erich Eckner
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

I'm trying to sign a csr by running
`CA=signing-ca openssl ca -verbose -config /etc/simple-pki/ca-ssl.conf -name signing_ca -in /tmp/tmp.Qz3EoKa0S4/fileserver-lo.ddns.eckner.net.csr -out /tmp/tmp.Qz3EoKa0S4/fileserver-lo.ddns.eckner.net.crt -extensions server_ext`
but it fails with exit code 1, solely printing the message
"Using configuration from /etc/simple-pki/ca-ssl.conf"

How can I see what's going wrong? Should I use gdb and/or strace to find
what the issue is or is there an easier option to enable debug output?

For the sake of completeness, here comes the content of
- -------->8--------/etc/simple-pki/ca-ssl.conf----------->8--------------
# Simple Root & Signing CA

# The [default] section contains global constants that can be referred to from
# the entire configuration file. It may also hold settings pertaining to more
# than one openssl command.

[ default ]
ca                      = $ENV::CA
dir                     = /etc/simple-pki   # Top dir

# The next part of the configuration file is used by the openssl req command.
# It defines the CA's key pair, its DN, and the desired extensions for the CA
# certificate.

[ req ]
default_bits            = 4096                  # RSA key size
encrypt_key             = no                    # Protect private key
default_md              = sha1                  # MD to use
utf8                    = yes                   # Input is UTF-8
string_mask             = utf8only              # Emit UTF-8 strings
prompt                  = no                    # Don't prompt for DN
distinguished_name      = ca_dn                 # DN section
req_extensions          = ca_reqext             # Desired extensions

[ ca_dn ]
0.domainComponent       = "net"
1.domainComponent       = "eckner"
organizationName        = "Eckner Net"
organizationalUnitName  = "Eckner Net CA"
commonName              = "Eckner Net Root CA"

[ ca_reqext ]
keyUsage                = critical,keyCertSign,cRLSign
basicConstraints        = critical,CA:true
subjectKeyIdentifier    = hash

# The remainder of the configuration file is used by the openssl ca command.
# The CA section defines the locations of CA assets, as well as the policies
# applying to the CA.

[ root_ca ]
certificate             = $dir/ca/$ca.crt       # The CA cert
private_key             = $dir/ca/$ca/private/$ca.key # CA private key
new_certs_dir           = $dir/ca/$ca           # Certificate archive
serial                  = $dir/ca/$ca/db/$ca.crt.srl # Serial number file
crlnumber               = $dir/ca/$ca/db/$ca.crl.srl # CRL number file
database                = $dir/ca/$ca/db/$ca.db # Index file
unique_subject          = no                    # Require unique subject
default_days            = 365                   # How long to certify for
default_md              = sha1                  # MD to use
policy                  = match_pol             # Default naming policy
email_in_dn             = no                    # Add email to cert DN
preserve                = no                    # Keep passed DN ordering
name_opt                = ca_default            # Subject DN display
options
cert_opt                = ca_default            # Certificate display
options
copy_extensions         = none                  # Copy extensions from CSR
x509_extensions         = signing_ca_ext        # Default cert extensions
default_crl_days        = 30                    # How long before next CRL
crl_extensions          = crl_ext               # CRL extensions

[ signing_ca ]
certificate             = $dir/ca/$ca.crt       # The CA cert
private_key             = $dir/ca/$ca/private/$ca.key # CA private key
new_certs_dir           = $dir/ca/$ca           # Certificate archive
serial                  = $dir/ca/$ca/db/$ca.crt.srl # Serial number file
crlnumber               = $dir/ca/$ca/db/$ca.crl.srl # CRL number file
database                = $dir/ca/$ca/db/$ca.db # Index file
unique_subject          = no                    # Require unique subject
default_days            = 60                    # How long to certify for
default_md              = sha1                  # MD to use
policy                  = match_pol             # Default naming policy
email_in_dn             = no                    # Add email to cert DN
preserve                = no                    # Keep passed DN ordering
name_opt                = ca_default            # Subject DN display
options
cert_opt                = ca_default            # Certificate display
options
copy_extensions         = copy                  # Copy extensions from CSR
x509_extensions         = email_ext             # Default cert extensions
default_crl_days        = 7                     # How long before next CRL
crl_extensions          = crl_ext               # CRL extensions

# Naming policies control which parts of a DN end up in the certificate and
# under what circumstances certification should be denied.

[ match_pol ]
domainComponent         = match                 # Must match 'simple.org'
organizationName        = match                 # Must match 'Simple Inc'
organizationalUnitName  = optional              # Included if present
commonName              = supplied              # Must be present

[ any_pol ]
domainComponent         = optional
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = optional
emailAddress            = optional

# Certificate extensions define what types of certificates the CA is able to
# create.

[ root_ca_ext ]
keyUsage                = critical,keyCertSign,cRLSign
basicConstraints        = critical,CA:true
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always

[ signing_ca_ext ]
keyUsage                = critical,keyCertSign,cRLSign
basicConstraints        = critical,CA:true,pathlen:0
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always

# Certificate extensions define what types of certificates the CA is able to
# create.

[ email_ext ]
keyUsage                = critical,digitalSignature,keyEncipherment
basicConstraints        = CA:false
extendedKeyUsage        = emailProtection,clientAuth
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always

[ server_ext ]
keyUsage                = critical,digitalSignature,keyEncipherment
basicConstraints        = CA:false
extendedKeyUsage        = serverAuth,clientAuth
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always

# CRL extensions exist solely to point to the CA certificate that has issued
# the CRL.

[ crl_ext ]
authorityKeyIdentifier  = keyid:always
- --------8<--------/etc/simple-pki/ca-ssl.conf-----------8<--------------

regards,
Erich

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl3nbZcACgkQCu7JB1Xa
e1pJdQ//fCLL2aBokfMvsVB7y5nEegxYZ6IVNnPSFAO4dBXkvnQ5AjiF+f2U7H05
I6pzGoYO1obyPyqm49TRfcOW4J3RbQ/k4JKtqW/eplqwOMGZ0QhHmGQNOIn9RDkR
FIYeKZlQN92ArOC2SAY6Br9l9ok7ovd8ScvOR9aKga1usG5TRHh5GrzzM7tdVAoM
3RGzm+X+/8efOTchkt2rYZcTf9hhzuvHXcZfJtxnGxuXAQfaXhaLN5x91lQ6qJJc
houZqLXHznuygYyM21steeW0bCJjWZS664HB3pnPXaRiz6R4WO5bJTGBIElGpDA8
wBimQGViR++GN+4ZNLX0ha+OZYdACewakR5qXJhJIKThJwpfOpm7aFHqHvijYN+/
dw9Z16rTlXLenBbJIji57KFtv9p3VvzHCyo1RXFpcEGW5NFw3bSBXkoR0UrlB9tj
/Mr3gL22YzrNB5MKUsdypunypTJ5J9Et1fxjPpRYzwm+uDaH/ktTKXX5O2VQ+9S7
yraG0G3Pkw6LX8ElcmwoBHtxccGMuXf41owPAMvCf+QaIJ9XsaMt6YlbbXhZEx60
wcD3n7QXkoLKkxQpoolnaW48PVqOr08FdNhEUD3rtML3nGCxC+Wmwh7xOCprUtq2
JnbYs8ShICnrts0GMLuJWEbwUI/IgiOWucPQ0ex9GO38+me5/Ck=
=Ho1j
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: verbosity of `openssl ca` error

Erich Eckner
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

I found the cause of my issue: When creating a new intermediate ca, I did
not purge the old directory, thus starting with an serial>01 and issued
certificates, revocation list which does not match the new private key.

Still my wish remains: a more verbose error message would have made the
problem with the setup much clearer!

regards,
Erich

On Wed, 4 Dec 2019, Erich Eckner wrote:

> Hi,
>
> I'm trying to sign a csr by running
> `CA=signing-ca openssl ca -verbose -config /etc/simple-pki/ca-ssl.conf -name
> signing_ca -in /tmp/tmp.Qz3EoKa0S4/fileserver-lo.ddns.eckner.net.csr -out
> /tmp/tmp.Qz3EoKa0S4/fileserver-lo.ddns.eckner.net.crt -extensions server_ext`
> but it fails with exit code 1, solely printing the message
> "Using configuration from /etc/simple-pki/ca-ssl.conf"
>
> How can I see what's going wrong? Should I use gdb and/or strace to find what
> the issue is or is there an easier option to enable debug output?
>
> For the sake of completeness, here comes the content of -
> -------->8--------/etc/simple-pki/ca-ssl.conf----------->8--------------
> # Simple Root & Signing CA
>
> # The [default] section contains global constants that can be referred to
> from
> # the entire configuration file. It may also hold settings pertaining to more
> # than one openssl command.
>
> [ default ]
> ca                      = $ENV::CA
> dir                     = /etc/simple-pki   # Top dir
>
> # The next part of the configuration file is used by the openssl req command.
> # It defines the CA's key pair, its DN, and the desired extensions for the CA
> # certificate.
>
> [ req ]
> default_bits            = 4096                  # RSA key size
> encrypt_key             = no                    # Protect private key
> default_md              = sha1                  # MD to use
> utf8                    = yes                   # Input is UTF-8
> string_mask             = utf8only              # Emit UTF-8 strings
> prompt                  = no                    # Don't prompt for DN
> distinguished_name      = ca_dn                 # DN section
> req_extensions          = ca_reqext             # Desired extensions
>
> [ ca_dn ]
> 0.domainComponent       = "net"
> 1.domainComponent       = "eckner"
> organizationName        = "Eckner Net"
> organizationalUnitName  = "Eckner Net CA"
> commonName              = "Eckner Net Root CA"
>
> [ ca_reqext ]
> keyUsage                = critical,keyCertSign,cRLSign
> basicConstraints        = critical,CA:true
> subjectKeyIdentifier    = hash
>
> # The remainder of the configuration file is used by the openssl ca command.
> # The CA section defines the locations of CA assets, as well as the policies
> # applying to the CA.
>
> [ root_ca ]
> certificate             = $dir/ca/$ca.crt       # The CA cert
> private_key             = $dir/ca/$ca/private/$ca.key # CA private key
> new_certs_dir           = $dir/ca/$ca           # Certificate archive
> serial                  = $dir/ca/$ca/db/$ca.crt.srl # Serial number file
> crlnumber               = $dir/ca/$ca/db/$ca.crl.srl # CRL number file
> database                = $dir/ca/$ca/db/$ca.db # Index file
> unique_subject          = no                    # Require unique subject
> default_days            = 365                   # How long to certify for
> default_md              = sha1                  # MD to use
> policy                  = match_pol             # Default naming policy
> email_in_dn             = no                    # Add email to cert DN
> preserve                = no                    # Keep passed DN ordering
> name_opt                = ca_default            # Subject DN display options
> cert_opt                = ca_default            # Certificate display options
> copy_extensions         = none                  # Copy extensions from CSR
> x509_extensions         = signing_ca_ext        # Default cert extensions
> default_crl_days        = 30                    # How long before next CRL
> crl_extensions          = crl_ext               # CRL extensions
>
> [ signing_ca ]
> certificate             = $dir/ca/$ca.crt       # The CA cert
> private_key             = $dir/ca/$ca/private/$ca.key # CA private key
> new_certs_dir           = $dir/ca/$ca           # Certificate archive
> serial                  = $dir/ca/$ca/db/$ca.crt.srl # Serial number file
> crlnumber               = $dir/ca/$ca/db/$ca.crl.srl # CRL number file
> database                = $dir/ca/$ca/db/$ca.db # Index file
> unique_subject          = no                    # Require unique subject
> default_days            = 60                    # How long to certify for
> default_md              = sha1                  # MD to use
> policy                  = match_pol             # Default naming policy
> email_in_dn             = no                    # Add email to cert DN
> preserve                = no                    # Keep passed DN ordering
> name_opt                = ca_default            # Subject DN display options
> cert_opt                = ca_default            # Certificate display options
> copy_extensions         = copy                  # Copy extensions from CSR
> x509_extensions         = email_ext             # Default cert extensions
> default_crl_days        = 7                     # How long before next CRL
> crl_extensions          = crl_ext               # CRL extensions
>
> # Naming policies control which parts of a DN end up in the certificate and
> # under what circumstances certification should be denied.
>
> [ match_pol ]
> domainComponent         = match                 # Must match 'simple.org'
> organizationName        = match                 # Must match 'Simple Inc'
> organizationalUnitName  = optional              # Included if present
> commonName              = supplied              # Must be present
>
> [ any_pol ]
> domainComponent         = optional
> countryName             = optional
> stateOrProvinceName     = optional
> localityName            = optional
> organizationName        = optional
> organizationalUnitName  = optional
> commonName              = optional
> emailAddress            = optional
>
> # Certificate extensions define what types of certificates the CA is able to
> # create.
>
> [ root_ca_ext ]
> keyUsage                = critical,keyCertSign,cRLSign
> basicConstraints        = critical,CA:true
> subjectKeyIdentifier    = hash
> authorityKeyIdentifier  = keyid:always
>
> [ signing_ca_ext ]
> keyUsage                = critical,keyCertSign,cRLSign
> basicConstraints        = critical,CA:true,pathlen:0
> subjectKeyIdentifier    = hash
> authorityKeyIdentifier  = keyid:always
>
> # Certificate extensions define what types of certificates the CA is able to
> # create.
>
> [ email_ext ]
> keyUsage                = critical,digitalSignature,keyEncipherment
> basicConstraints        = CA:false
> extendedKeyUsage        = emailProtection,clientAuth
> subjectKeyIdentifier    = hash
> authorityKeyIdentifier  = keyid:always
>
> [ server_ext ]
> keyUsage                = critical,digitalSignature,keyEncipherment
> basicConstraints        = CA:false
> extendedKeyUsage        = serverAuth,clientAuth
> subjectKeyIdentifier    = hash
> authorityKeyIdentifier  = keyid:always
>
> # CRL extensions exist solely to point to the CA certificate that has issued
> # the CRL.
>
> [ crl_ext ]
> authorityKeyIdentifier  = keyid:always
> - --------8<--------/etc/simple-pki/ca-ssl.conf-----------8<--------------
>
> regards,
> Erich
>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl3qZdMACgkQCu7JB1Xa
e1q+iQ//ZHTpV9yLPUZj3U2g2DKN5iCT3JcNAO3hiwtFyletDIzuks3CsJCLnHEz
k5qDJ/JpyJz6kMrj9wffxYwBsbo9NL8bFdlt58u0PQYSlqxq6ZGO9NSmhf+3mzvO
nD7xiBR9UD8/Yh4pzMtGAGD4Wd2jvBkZtnRcJmayhSurniSnkSQYL932SwkL/q6Q
4sQoZ2axViuRnUdLctMarDOLLmwYS1duDOjlcdpdSYmkzh7I8uAfHjm5lKscBsn1
LX/nvB80fb8MYuUV+CdCvQvZr0mV0nIm1aU8IvXyBCR2ZuV0yulL4DS7DX/JSg3M
BR6kmT/PFxiNkMcNkNnZmYNT4zzoE4WbmvthtClniAxpDNtIefbLCOt4vPfh4RK+
TbI3PZPEt1S0sZYa1CqCa2hR2XfHoX46KySa6hdni7tQQM+EYiYpginpBI67OPDV
bnI4UjUXEUgl5gwWXiPfUMrHBdKUHxpzFfGsHzCbslFr30Dm6NZs5lOZ2SmRNaSU
yNk9N6EHH3TblY1PjUZOkYSZKJpjOXhEXsNaSxZc8upoFesTp63G75+Ck17ZcX4C
i6pDnHY3fZ0usb2HjcQOFHnzXU2U7aCoRGWnDSUl0dN4X1kyWk23Y3nFP6jdgsUi
aAu+2id1oWFqaDEHRzyzxDtYsRtqmlA75rcZNmdmrG8jK0Q2XWM=
=Lsck
-----END PGP SIGNATURE-----