On Sat May 03 10:44:05 2014, olaf.ruehenb...@rub.de wrote: > Hey there, > > I have encountered an issue with OpenSSL req: > > I use two sections for my CA, one for the certificate request > extensions and one for the selfsigned root certificate as specified by > the manpage: > > [ req ] > > #[...] > prompt=no > > req_extensions = req_ext > x509_extensions = x509_ext > #[...] > > In the first I use $ENV::VARNAME to set keyUsage and extendedKeyUsage > like this: > > [ req_ext ] > > basicConstraints=CA:FALSE > keyUsage=$ENV::KEY_KEYUSAGE > extendedKeyUsage=$ENV::KEY_EKEYUSAGE > subjectKeyIdentifier=hash > > and for the -x509 section I use: > > [ x509_ext ] > > basicConstraints=critical,CA:TRUE,pathlen:0 > keyUsage=critical,keyCertSign,cRLSign > subjectKeyIdentifier=hash > authorityKeyIdentifier=keyid,issuer > > When I execute the root certificate generation: > > export KEY_CN="foo ca" > export KEY_ORG="foo inc" > openssl req -config openssl.cnf -new -x509 -out root.crt > -passout pass:foobar -keyout root.key -days 3650 > > I get this error: > > error on line 24 of openssl.cnf > 140003809027728:error:0E065068:configuration file > routines:STR_COPY:variable has no value:conf_def.c:618:line 24 > > Line 24 in openssl.cnf: keyUsage=$ENV::KEY_KEYUSAGE > > Which is obviously in the wrong section for a command like that. > Workaround: > > export KEY_KEYUSAGE="digitalSignature" > export KEY_EKEYUSAGE="serverAuth" > > And it works flawless with the same command, not using the provided > values at all as they are overwritten by the x509 section: >
That's the way config files behave. An attempt is made to expand all environment variables in all sections when the file is read and if one is absent it is an error. It doesn't matter whether the section is actually used or not. A workaround is to provide values in the default section then they will be used if the corresponding variable is undefined. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org