[openssl-users] 1st time through, only -- "Can't open root/database.attr for reading, No such file or directory" ?

Sun, 04 Jun 2017 12:18:45 -0700 

I've a new, local CA for (primary) local, self-signed, elliptical cert issuance 
& use.

I've built/installed,

        openssl version
                OpenSSL 1.1.0f  25 May 2017

I've created a ROOT crt & key, & and an INTERMEDIATE key & csr.

On exec of signing the INTERMEDIATE key with the ROOT.

        openssl ca -batch \
         -notext \
         -extensions ext_intermediate \
         -config /home/sec/newCA/openssl.cnf \
         -name ca_root \
         -in  intermediate/csr/newCA.INTERMEDIATE.csr.pem \
         -out intermediate/certs/newCA.INTERMEDIATE.crt.pem

It appears to complete -- the cert's created

        openssl x509 \
         -noout \
         -text \
         -in intermediate/certs/newCA.INTERMEDIATE.crt.pem

                Certificate:
                    Data:
                        Version: 3 (0x2)
                        Serial Number: 4096 (0x1000)
                    Signature Algorithm: ecdsa-with-SHA256
                ...

but the process STARTS with an apparently non-fatal error ...

        Using configuration from /home/sec/newCA/openssl.cnf
        Can't open root/database.attr for reading, No such file or directory
        140013244086016:error:02001002:system 
library:fopen::crypto/bio/bss_file.c:74:fopen('root/database.attr','r')
        140013244086016:error:2006D080:BIO routines:BIO_new_file:no such 
file:crypto/bio/bss_file.c:81:
        Check that the request matches the signature
        Signature ok
        Certificate Details:
                Serial Number: 4096 (0x1000)
                Validity
                    Not Before: Jun  4 18:54:29 2017 GMT
                    Not After : Jun  2 18:54:29 2027 GMT
        ...
        Write out database with 1 new entries
        Data Base Updated

The only mention of

        root/database

is in my openssl.conf

        ...
        [ ca_root ]
        dir               = root
        certs             = $dir/certs
        crl_dir           = $dir/crl
        new_certs_dir     = $dir/newcerts
        database          = $dir/database   <-------------
        unique_subject    = yes
        ...

PRIOR to creating the ROOT key, I

        touch root/database
        touch intermediate/database

AFTER the signing,

        ls -al root/database*
                -rw-r--r-- 1 root root 167 Jun  4 11:54 root/database
                -rw-r--r-- 1 root root  21 Jun  4 11:54 root/database.attr
                -rw-r--r-- 1 root root   0 Jun  4 11:51 root/database.old

and if I RE-exec the cmd,

        openssl ca -batch \
        ...

there's no more error

        Using configuration /home/sec/newCA/openssl.cnf
        Check that the request matches the signature
        Signature ok
        Certificate Details:
        ...

Checking

        cat root/database.attr
                unique_subject = yes

Which appears (?) to originate from the "[ ca_root ]" in my openssl.cnf

Do I need to touch, or manually populate, the 

        root/database.attr

prior to first exec to init as well?

Or is this a bug?
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to