The unique_subject only occurs once in the file. I moved the statement:
unique_subject = no
to the [ ca] section. Same error :-(
I still see the following in the output: **** DEBUG[load_index]: unique_subject
= "yes" ***
I don't have any index file in the C:\Program Files\OpenSSL directory. Here's a
directory listing:
C:\Program Files\OpenSSL>dir
Volume in drive C is CDrive
Volume Serial Number is DCE3-20C6
Directory of C:\Program Files\OpenSSL
10/30/2007 07:30 AM <DIR> .
10/30/2007 07:30 AM <DIR> ..
11/06/2007 11:57 AM 1,024 .rnd
10/30/2007 07:28 AM 4,700 ca.bat
03/23/2005 09:52 AM 1,578,787 libeay32.dll
03/23/2005 09:53 AM 632,226 libssl32.dll
11/02/2007 01:35 PM 1,788 Notes.txt
11/06/2007 11:56 AM 3,490 openssl.conf
03/23/2005 09:51 AM 1,153,024 openssl.exe
7 File(s) 3,375,039 bytes
2 Dir(s) 26,369,331,200 bytes free
Attached is my entire openssl.conf file
Thanks in advance for all the help.
Frank
----- Original Message ----
From: Bernhard Froehlich <[EMAIL PROTECTED]>
To: openssl-users@openssl.org
Sent: Tuesday, November 6, 2007 10:53:40 AM
Subject: Re: ca client - failed to update database, TXT_DB error number 2
Frank Garber schrieb:
> Hi Ted,
>
> Thanks for the help, but...
>
> Here's the line I added to the openssl.conf file:
> [ CA_default ]
> unique_subject = no
>
>
> Here's the error message. Note the output about the unique subject?
> --------------------------------------------------------------------
> Step 2: Sign the certificate
> --------------------------------------------------------------------
>
> Using configuration from C:\Progra~1\OpenSSL\openssl.conf
> Loading 'screen' into random state - done
> Enter pass phrase for C:\CA\private\CAkey.pem:
> DEBUG[load_index]: unique_subject = "yes"
> [...]
Now, what can this tell us? It tells us that openssl is quite sure you
told it to use unique_subject=yes. Looks like openssl and you have some
misunderstanding. ;)
Possible reasons:
- openssl is using another config file than you think it is. Not very
probable since you surely crosschecked that you made your entry into
C:\Progra~1\OpenSSL\openssl.conf
- You made your entry in the [ CA_default ] section but openssl uses
another section. Check the [ ca ] section of your config.
- There are multiple "unique_subject" lines in the section with
different settings, and openssl uses the wrong one. Check the section
thoroughly.
If this does not help, I'd need the complete config file, plus the
content of the index file (called "index" by default)
Hope it helps.
Ted
;)
--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
####################################################################
# Sample OpenSSL configuration file #
####################################################################
RANDFILE = C:\\Progra~1\\OpenSSL\\.rnd
[ ca ]
default_ca = CA_default # The default ca section
unique_subject = no # FCG added 11/06/07
[ CA_default ]
dir = C:\\CA
certs = $dir\\certs # Where the issued certs are kept
crl_dir = $dir\\crl # Where the issued crl are kept
database = $dir\\index.txt # database index file.
new_certs_dir = $dir\\newcerts # default place for new certs.
certificate = $dir\\CAcert.pem # The CA certificate
serial = $dir\\serial # The current serial number
crl = $dir\\crl.pem # The current CRL
private_key = $dir\\private\\CAkey.pem # The private key
RANDFILE = $dir\\private\\.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
default_days = 365 # how long to certify for
default_crl_days = 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
####################################################################
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = nombstr
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
basicConstraints = CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:true
[ crl_ext ]
authorityKeyIdentifier = keyid:always,issuer:always
