[openssl-users] Intermediate cert file failure
on a default_md error:
openssl req -config $cadir/openssl-root.cnf\
-key $dir/private/intermediate.key.$format \
-keyform $format -outform $format -subj "$DN" -new\
-out $dir/csr/intermediate.csr.$format
format=pem
openssl rand -hex $sn > $dir/serial # hex 8 is minimum, 19 is maximum
openssl ca -config $cadir/openssl-root.cnf -days 3650\
-extensions v3_intermediate_ca -notext\
-in $dir/csr/intermediate.csr.$format\
-out $dir/certs/intermediate.cert.pem
Using configuration from /root/ca/openssl-root.cnf
Enter pass phrase for /root/ca/private/ca.key.pem:
Can't open /root/ca/intermediate/index.txt.attr for reading, No such
file or directory
3064446992:error:02001002:system library:fopen:No such file or
directory:crypto/bio/bss_file.c:72:fopen('/root/ca/intermediate/index.txt.attr','r')
3064446992:error:2006D080:BIO routines:BIO_new_file:no such
file:crypto/bio/bss_file.c:79:
variable lookup failed for CA_default::default_md
3064446992:error:0E06D06C:configuration file
routines:NCONF_get_string:no
value:crypto/conf/conf_lib.c:275:group=CA_default name=default_md
Why is it asking for index.txt.attr? I made serial which at least with
ecdsa overrode using index.txt?
And then default_md is commented out in both my .cnf files.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Intermediate cert file failure
> On Jul 27, 2018, at 11:25 AM, Robert Moskowitz wrote: > > 3064446992:error:2006D080:BIO routines:BIO_new_file:no such > file:crypto/bio/bss_file.c:79: > variable lookup failed for CA_default::default_md > 3064446992:error:0E06D06C:configuration file routines:NCONF_get_string:no > value:crypto/conf/conf_lib.c:275:group=CA_default name=default_md Well ca(1) wants either an explicit "md" option or a default_md. Perhaps it does not yet support ed25519. You can sign directly with "openssl x509", but first try openssl ca -md null or openssl ca -md default and see if either of those work. -- Viktor. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Intermediate cert file failure
On 07/27/2018 12:35 PM, Viktor Dukhovni wrote:
On Jul 27, 2018, at 11:25 AM, Robert Moskowitz wrote:
3064446992:error:2006D080:BIO routines:BIO_new_file:no such
file:crypto/bio/bss_file.c:79:
variable lookup failed for CA_default::default_md
3064446992:error:0E06D06C:configuration file routines:NCONF_get_string:no
value:crypto/conf/conf_lib.c:275:group=CA_default name=default_md
Well ca(1) wants either an explicit "md" option or a default_md.
Perhaps it does not yet support ed25519. You can sign directly
with "openssl x509", but first try
openssl ca -md null
or
openssl ca -md default
and see if either of those work.
-md null worked:
openssl ca -config $cadir/openssl-root.cnf -days 3650\
-extensions v3_intermediate_ca -notext -md null\
-in $dir/csr/intermediate.csr.$format\
-out $dir/certs/intermediate.cert.pem
Can't open /root/ca/intermediate/index.txt.attr for reading, No such
file or directory
3064946704:error:02001002:system library:fopen:No such file or
directory:crypto/bio/bss_file.c:72:fopen('/root/ca/intermediate/index.txt.attr','r')
3064946704:error:2006D080:BIO routines:BIO_new_file:no such
file:crypto/bio/bss_file.c:79:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
ad:0f:52:5d:91:70:1a:d3
Validity
Not Before: Jul 27 16:41:03 2018 GMT
Not After : Jul 24 16:41:03 2028 GMT
Subject:
countryName = US
stateOrProvinceName = MI
organizationName = HTT Consulting
commonName = Signing CA
X509v3 extensions:
X509v3 Subject Key Identifier:
DB:5F:0C:00:54:DD:A6:EB:61:BD:79:13:0A:2D:EA:0A:19:82:E8:C5
X509v3 Authority Key Identifier:
keyid:D6:1B:BA:96:44:EF:F1:07:59:35:A7:F2:77:5F:82:24:21:53:9A:9F
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Alternative Name:
email:postmas...@htt-consult.com
Certificate is to be certified until Jul 24 16:41:03 2028 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
There was no file index.txt.attr, but now there is:
# cat index.txt.attr
unique_subject = yes
I don't remember this from my ecdsa work with 1.1.0
This issue with md is definitely and issue. I can try -md null on the
self-signed root cert, but it seems that this should not even be
referenced for ed25519
But I got my intermediate cert, so on to the next step.
thanks for your help, Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Intermediate cert file failure
On Fri, 2018-07-27 at 12:49 -0400, Robert Moskowitz wrote:
>
> On 07/27/2018 12:35 PM, Viktor Dukhovni wrote:
> >
> > > On Jul 27, 2018, at 11:25 AM, Robert Moskowitz > > om> wrote:
> > >
> > > 3064446992:error:2006D080:BIO routines:BIO_new_file:no such
> > > file:crypto/bio/bss_file.c:79:
> > > variable lookup failed for CA_default::default_md
> > > 3064446992:error:0E06D06C:configuration file
> > > routines:NCONF_get_string:no
> > > value:crypto/conf/conf_lib.c:275:group=CA_default name=default_md
> >
> > Well ca(1) wants either an explicit "md" option or a default_md.
> > Perhaps it does not yet support ed25519. You can sign directly
> > with "openssl x509", but first try
> >
> > openssl ca -md null
> > or
> > openssl ca -md default
> >
> > and see if either of those work.
> >
>
> -md null worked:
>
> openssl ca -config $cadir/openssl-root.cnf -days 3650\
> -extensions v3_intermediate_ca -notext -md null\
> -in $dir/csr/intermediate.csr.$format\
> -out $dir/certs/intermediate.cert.pem
>
> Can't open /root/ca/intermediate/index.txt.attr for reading, No such
> file or directory
> 3064946704:error:02001002:system library:fopen:No such file or
> directory:crypto/bio/bss_file.c:72:fopen('/root/ca/intermediate/index
> .txt.attr','r')
> 3064946704:error:2006D080:BIO routines:BIO_new_file:no such
> file:crypto/bio/bss_file.c:79:
> Check that the request matches the signature
> Signature ok
> Certificate Details:
> Serial Number:
> ad:0f:52:5d:91:70:1a:d3
> Validity
> Not Before: Jul 27 16:41:03 2018 GMT
> Not After : Jul 24 16:41:03 2028 GMT
> Subject:
> countryName = US
> stateOrProvinceName = MI
> organizationName = HTT Consulting
> commonName= Signing CA
> X509v3 extensions:
> X509v3 Subject Key Identifier:
> DB:5F:0C:00:54:DD:A6:EB:61:BD:79:13:0A:2D:EA:0A:19:82:E8:C5
> X509v3 Authority Key Identifier:
> keyid:D6:1B:BA:96:44:EF:F1:07:59:35:A7:F2:77:5F:82:24:21:53:9A:9F
>
> X509v3 Basic Constraints: critical
> CA:TRUE, pathlen:0
> X509v3 Key Usage: critical
> Certificate Sign, CRL Sign
> X509v3 Subject Alternative Name:
> email:postmas...@htt-consult.com
> Certificate is to be certified until Jul 24 16:41:03 2028 GMT (3650
> days)
> Sign the certificate? [y/n]:y
>
>
> 1 out of 1 certificate requests certified, commit? [y/n]y
> Write out database with 1 new entries
> Data Base Updated
>
> There was no file index.txt.attr, but now there is:
>
> # cat index.txt.attr
> unique_subject = yes
>
> I don't remember this from my ecdsa work with 1.1.0
>
> This issue with md is definitely and issue. I can try -md null on
> the
> self-signed root cert, but it seems that this should not even be
> referenced for ed25519
>
> But I got my intermediate cert, so on to the next step.
>
> thanks for your help, Viktor.
Please open a Github issue for the default_md problem. It really
hampers the usability.
--
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
