0

First off I have been following Raymii.org's site on 'OpenSSL command line Root and Intermediate CA including OCSP, CRL and revocation' (see: https://raymii.org/s/tutorials/OpenSSL_command_line_Root_and_Intermediate_CA_including_OCSP_CRL%20and_revocation.html#Configuring_the_Intermediate_CA_1) and attempting to combine it with xpersguers git hub page on how to build and test an OCSP responder (see: https://github.com/xperseguers/ocsp-responder/blob/master/Documentation/CertificateAuthority.md)

Everything seems to be working, but I'm running into an issue with requesting a new certificate for the OCSP Server certificate: 

openssl req -new -sha256 -key ./private/ocsrv.key -out ./csr/oc-
srv.csr -subj '/C=US/ST=CA/L=Turlock/O=BouncingAnvils/OU=Production
/CN=OCSPServer' -config ./openssl.cnf -extensions v3_OCSP

The OpenSSL config (./openssl.cnf) file is as follows. 

# vim ca.conf
[ca]
default_ca = default_ca

[crl_ext]
issuerAltName=issuer:copy 
authorityKeyIdentifier=keyid:always

 [default_ca]
 dir = ./
 new_certs_dir = $dir/newcerts
 unique_subject = no
 certificate = $dir/certs/ocsp-rootca.crt
 database = $dir/certindex
 private_key = $dir/private/ocsp-rootca.key
 serial = $dir/certserial
 default_days = 3650
 default_md = sha1
 policy = ca_policy
 x509_extensions = ca_extensions
 crlnumber = $dir/crlnumber
 default_crl_days = 730

 [ca_policy]
 commonName = supplied
 stateOrProvinceName = supplied
 countryName = optional
 emailAddress = optional
 organizationName = supplied
 organizationalUnitName = optional

 [ca_extensions]
 basicConstraints = critical,CA:TRUE
 keyUsage = critical,any
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer
 keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
 extendedKeyUsage = serverAuth
 crlDistributionPoints = @crl_section
 subjectAltName  = @alt_names
 authorityInfoAccess = @ocsp_section

 [v3_ca]
 basicConstraints = critical,CA:TRUE,pathlen:0
 keyUsage = critical,any
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer
 keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
 extendedKeyUsage = serverAuth
 crlDistributionPoints = @crl_section
 subjectAltName  = @alt_names
 authorityInfoAccess = @ocsp_section

 [v3_OCSP]
 basicConstraints             = CA:FALSE
 keyUsage                     = nonRepudiation, digitalSignature, keyEncipherment
 extendedKeyUsage             = OCSPSigning


 [alt_names]
 DNS.0 = OCVPN Intermidiate CA 1
 DNS.1 = OCVPN CA Intermidiate 1

 [crl_section]
 URI.0 = http://xxxxxx/ocvproot.crl
 URI.2 = http://xxxxx/ocvproot.crl

 [ocsp_section]
 caIssuers;URI.0 = http://xxxxx/ocsp-root-ca.crt
 caIssuers;URI.1 =  http://xxxxxx/ocsp-root-ca.crt
 OCSP;URI.0 = http://xxxxxx:59388
 OCSP;URI.1 = http://xxxxxx:59388

The error is: 

$> openssl req -new -sha256 -key ./private/ocsrv.key -out ./csr/oc
srv.csr -subj '/C=US/ST=CA/L=Turlock/O=BouncingAnvils/OU=Production
/CN=OCSPServer'  -extensions v3_OCSP
Error Loading extension section v3_OCSP
$>

if I include the -config options I get something I kinda expect due to me not having a 'req_distinguised_name' section. 

$> openssl req -new -sha256 -key ./private/ocsrv.key -out ./csr/ocsrv.csr -subj '/C=US/ST=CA/L=Turlock/O=BouncingAnvils/OU=Production
/CN=OCSPServer'  -extensions v3_OCSP-config ./openssl.cnf 
unable to find 'distinguished_name' in config
problems making Certificate Request
$>140084133627552:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:335:group=req name=distinguished_name

Any help would be great.

4

1 回答 1

0

I had got the same problem. What I found is openssl for windows expects lower case tag (section) names similar to [ca], [crl_section] . I replaced [v3_OCSP] with [v3_ocsp] and it worked.

于 2018-02-15T07:18:16.227 回答