First off I have been following Raymii.org's site on 'OpenSSL command line Root and Intermediate CA including OCSP, CRL and revocation' (see: https://raymii.org/s/tutorials/OpenSSL_command_line_Root_and_Intermediate_CA_including_OCSP_CRL%20and_revocation.html#Configuring_the_Intermediate_CA_1) and attempting to combine it with xpersguers git hub page on how to build and test an OCSP responder (see: https://github.com/xperseguers/ocsp-responder/blob/master/Documentation/CertificateAuthority.md)
Everything seems to be working, but I'm running into an issue with requesting a new certificate for the OCSP Server certificate:
openssl req -new -sha256 -key ./private/ocsrv.key -out ./csr/oc-
srv.csr -subj '/C=US/ST=CA/L=Turlock/O=BouncingAnvils/OU=Production
/CN=OCSPServer' -config ./openssl.cnf -extensions v3_OCSP
The OpenSSL config (./openssl.cnf) file is as follows.
# vim ca.conf
[ca]
default_ca = default_ca
[crl_ext]
issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
[default_ca]
dir = ./
new_certs_dir = $dir/newcerts
unique_subject = no
certificate = $dir/certs/ocsp-rootca.crt
database = $dir/certindex
private_key = $dir/private/ocsp-rootca.key
serial = $dir/certserial
default_days = 3650
default_md = sha1
policy = ca_policy
x509_extensions = ca_extensions
crlnumber = $dir/crlnumber
default_crl_days = 730
[ca_policy]
commonName = supplied
stateOrProvinceName = supplied
countryName = optional
emailAddress = optional
organizationName = supplied
organizationalUnitName = optional
[ca_extensions]
basicConstraints = critical,CA:TRUE
keyUsage = critical,any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
extendedKeyUsage = serverAuth
crlDistributionPoints = @crl_section
subjectAltName = @alt_names
authorityInfoAccess = @ocsp_section
[v3_ca]
basicConstraints = critical,CA:TRUE,pathlen:0
keyUsage = critical,any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
extendedKeyUsage = serverAuth
crlDistributionPoints = @crl_section
subjectAltName = @alt_names
authorityInfoAccess = @ocsp_section
[v3_OCSP]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = OCSPSigning
[alt_names]
DNS.0 = OCVPN Intermidiate CA 1
DNS.1 = OCVPN CA Intermidiate 1
[crl_section]
URI.0 = http://xxxxxx/ocvproot.crl
URI.2 = http://xxxxx/ocvproot.crl
[ocsp_section]
caIssuers;URI.0 = http://xxxxx/ocsp-root-ca.crt
caIssuers;URI.1 = http://xxxxxx/ocsp-root-ca.crt
OCSP;URI.0 = http://xxxxxx:59388
OCSP;URI.1 = http://xxxxxx:59388
The error is:
$> openssl req -new -sha256 -key ./private/ocsrv.key -out ./csr/oc
srv.csr -subj '/C=US/ST=CA/L=Turlock/O=BouncingAnvils/OU=Production
/CN=OCSPServer' -extensions v3_OCSP
Error Loading extension section v3_OCSP
$>
if I include the -config options I get something I kinda expect due to me not having a 'req_distinguised_name' section.
$> openssl req -new -sha256 -key ./private/ocsrv.key -out ./csr/ocsrv.csr -subj '/C=US/ST=CA/L=Turlock/O=BouncingAnvils/OU=Production
/CN=OCSPServer' -extensions v3_OCSP-config ./openssl.cnf
unable to find 'distinguished_name' in config
problems making Certificate Request
$>140084133627552:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:335:group=req name=distinguished_name
Any help would be great.