Hello - I was trying to include a CRL distribution point in a certificate, but the documentation on the page http://www.openssl.org/docs/apps/x509v3_config.html on CRL distribution points didn't work for me. The "openssl ca" command refused to sign certificates when I edited my openssl.cnf to include the full distribution point example. I figured out how to do what I needed to do, but the documentation might need a closer look to make it correct.
The example configuration says to do this: ------------- [usr_cert] <snip standard stuff> crlDistributionPoints=crldp1_section [crldp1_section] fullname=URI:http://myhost.com/myca.crl CRLissuer=dirName:issuer_sect reasons=keyCompromise, CACompromise [issuer_sect] C=UK O=Organisation CN=Some Name --------------- I added that to my openssl.cnf file, and tried the "openssl ca" command below: openssl ca -policy policy_anything -out "newcert.pem" \ -cert demoCA/cacert.pem -keyfile demoCA/private/cakey.pem -key password \ -days 999 -outdir demoCA/newcerts -batch -passin pass:password \ -notext \ -infiles "newreq.pem" The ca command reported these errors: Using configuration from /usr/local/ssl/openssl.cnf Error Loading extension section usr_cert 19243:error:02001002:system library:fopen:No such file or directory:bss_file.c:104:fopen('./demoCA/index.txt.attr','rb') 19243:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:107: 19243:error:0E064072:configuration file routines:CONF_load:no such file:conf_def.c:197: 19243:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:329:group=CA_default name=email_in_dn 19243:error:2207507C:X509 V3 routines:v2i_GENERAL_NAME:missing value:v3_alt.c:392: 19243:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in extension:v3_conf.c:92:name=crlDistributionPoints, value=crldp1_section I changed my openssl.cnf to use a different syntax, and then everything worked as I wanted it to. Here's the configuration that worked for me: [usr_cert] <snip standard stuff> crlDistributionPoints = @crldp1_section [crldp1_section] URI = ldap://ldap.example.com/cn=myca,o=myorg,c=US?certificateRevocationList;binary I'm using OpenSSL 0.9.7j ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
