Here's a recipe for generating a CA directory for testing.
It assumes you have already generated a CA key and cert.
touch $CA_DIR/index.txt
echo '1000' > $CA_DIR/serial
echo '1000' > $CA_DIR/crlnumber
mkdir -m 700 $CA_DIR/newcerts
mkdir -m 700 $CA_DIR/private
mkdir $CA_DIR/certs
cp $CA_KEY $CA_DIR/private/ca_key.pem
chmod 600 $CA_DIR/private/ca_key.pem
cp $CA_CERT $CA_DIR/certs/ca_cert.pem
Those paths need to correspond to those set in the "[ CA_default ]"
section of the openssl.cnf file.
E.g.
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = somedir/ca_dir # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/certs/ca_cert.pem
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1
CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca_key.pem
RANDFILE = $dir/.rand # private random number file
The initial crl file can be generated like so:
cat ca_key_passphrase_file.txt | openssl ca -gencrl -out $CA_DIR/crl.pem
-config /path/to/test.openssl.cnf -passin stdin
Use 'openssl req' to generate the cert request private key.
Use 'openssl spkac' to generate the spkac cert request data.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1828215
Title:
openssl ca -spkac output regressed
Status in OpenSSL:
Unknown
Status in openssl package in Ubuntu:
Confirmed
Status in openssl source package in Bionic:
Confirmed
Status in openssl source package in Cosmic:
Confirmed
Status in openssl source package in Disco:
Confirmed
Status in openssl source package in Eoan:
Confirmed
Bug description:
[Impact]
* openssl command line utility option parsing has regressed in
1.1.0i+ and produces binary output, where text output is expected,
breaking applications that parse that.
[Test Case]
* OPENSSL_ENABLE_MD5_VERIFY=1 openssl ca -config test.openssl.cnf
-passin stdin -batch -spkac input_file -startdate 190121130654Z
Currently produces binary goop.
Should produce PEM format Base64 encoded certificate data in a block
surrounded
with BEGIN/END certificate.
[Regression Potential]
* This is a regression in cosmic and up, and impeding regression in
bionic with the upcoming 1.1.1 SRU. A bugfix exists upstream.
[Other Info]
* Originally reported
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1797386/comments/39
To manage notifications about this bug go to:
https://bugs.launchpad.net/openssl/+bug/1828215/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
