Hi,
We're trying to generate a Certificate Authority on our Debian/Apachessl server. Here's the command we're entering:
openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 7000
The above command kicks back the following error:
unable to find 'distinguished_name' in config
problems making Certificate Request
290:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:conf_lib.c:343:
We checked the openssl FAQ and discovered this:
+++++ DIAGNOSTICS
The following messages are frequently asked about:
Using configuration from /some/path/openssl.cnf
Unable to load config info
This is followed some time later by... unable to find 'distinguished_name' in config problems making Certificate Request
The first error message is the clue: it can't find the configuration file! Certain operations (like examining a certificate request) don't need a configuration file so its use isn't enforced. Generation of certificates or requests however does need a configuration file. This could be regarded as a bug.
Another puzzling message is this:
Attributes:
a0:00this is displayed when no attributes are present and the request includes the correct empty SET OF structure (the DER encoding of which is 0xa0 0x00). If you just see:
Attributes:
then the SET OF is missing and the encoding is technically invalid (but it is tolerated). See the description of the command line option -asn1-kludge for more information.
+++++
We then followed the lead to this info about -asn1-kludge:
+++++ asn1-kludge
by default the req command outputs certificate requests containing no attributes in the correct PKCS#10 format. However certain CAs will only accept requests containing no attributes in an invalid form: this option produces this invalid format.
More precisely the Attributes in a PKCS#10 certificate request are defined as a SET OF Attribute. They are not OPTIONAL so if no attributes are present then they should be encoded as an empty SET OF. The invalid form does not include the empty SET OF whereas the correct form does.
It should be noted that very few CAs still require the use of this option.
+++++
We then attempted to add the -asn1-kludge command to our req line in the following manner:
[EMAIL PROTECTED]:/etc/ssl# openssl req -asn1-kludge -new -x509 -keyout private/cakey.pem -out cacert.pem -days 7000
And we received the same result as before:
unable to find 'distinguished_name' in config
problems making Certificate Request
302:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:conf_lib.c:343:
Any ideas?
TIA,
Dan O'Brien
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
