Hello,
while trying to setup my own CA i am getting below
error:
# openssl req -new -x509 -extensions v3_ca -keyout
private/cakey.pem -out cacert.pem
Generating a 2048 bit RSA private key
..+++
.........................................................................................+++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
problems making Certificate Request
13175:error:0D07A097:asn1 encoding
routines:ASN1_mbstring_copy:string too
long:/usr/src/lib/libssl/src/crypto/asn1/a_mbstr.c:154:maxsize=2
#
file permissions:
# pwd
/etc/ssl
# ls -ltr
total 348
drwxr-xr-x 2 root wheel 512 Aug 28 11:00 lib
-r--r--r-- 1 root bin 895 Aug 28 11:00
x509v3.cnf
-r--r--r-- 1 root bin 151917 Aug 28 11:00
cert.pem
drwxr-xr-x 4 root wheel 512 Nov 21 23:00
orig.dir.with.contents
drwxr-xr-x 2 root wheel 512 Nov 25 21:01 crl
drwxr-xr-x 2 root wheel 512 Nov 25 21:01
newcerts
-rw-r--r-- 1 root wheel 0 Nov 25 21:01
certindex.txt
-rw-r--r-- 1 root wheel 7 Nov 25 21:01 serial
drwxr-xr-x 2 root wheel 512 Nov 27 22:23
issuedcerts
-r--r--r-- 1 root bin 6889 Dec 6 10:50
openssl.cnf
drwx------ 2 root wheel 512 Dec 9 00:12 private
# ls -l private
total 4
-rw-r--r-- 1 root wheel 1743 Dec 9 00:13 cakey.pem
# ls -l issuedcerts
# ls -l newcerts
#
here is my config file:
$ cat /etc/ssl/openssl.cnf
#
# OpenSSL example configuration file.
# This is mostly being used for generation of
certificate requests.
# Plus,
# I have configured it for generating CA cert too.
#
RANDFILE = /dev/arandom
dir = /etc/ssl # working dir
for all operations
[ ca ] # section for CA settings
default_ca = CA_default # default CA
settings section title
[ CA_default ] # default settings for CA
certs = $dir/issuedcerts # dir
to keep issued certificates
new_certs_dir = $dir/newcerts # dir
for new certs
crl_dir = $dir/crl # dir
for issued cert revoc lists
serial = $dir/serial # file
contains the current serial no.
database = $dir/certindex.txt #
certificate database index file
crl = $dir/crl/ca-crl.pem # the
current CRL
certificate = $dir/ca-cert.pem # file
containing CA certificate
private_key = $dir/private/ca-key.pem
# the private key corrosponding
# to
CA certificate
default_days = 3650 #
valid for 10 years
default_md = sha1 # md5
for older software and is weaker
preserve = no #
whether to preserve the order of DN
#
fields to match the order passed in
email_in_dn = no
policy = policy_match #
section to tell which fields in certs
# must
match that of CA, or are mandetory
x509_extensions = usr_cert #
directives for CA when signing a cert
# Make new requests easier to sign - allow two
subjects with same name
# (Or revoke the old certificate first.)
unique_subject = no
# Comment out the following two lines for the
"traditional"
# (and highly broken) format.
nameopt = default_ca
certopt = default_ca
[ policy_match ] # OIDs that
must be same as that of CA
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable
'object'
# types. All values are system default.
[ policy_anything ] # all possible options for
policy...
countryName = optional
stateOrProvinceName = optional
localityName = optional # this is not
in policy_match section
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
#######################################
# the req section is used by openssl req command, it
creates and process
# certificate requests in PKCS#10 format. also creates
self signed certs
# for use as root CA.
[ req ] # directives to process and
create cert requests
default_bits = 2048 # key
size for new cert request
default_keyfile = privkey.pem # def
key name for any newely generated cert
default_md = sha1 #
message digest algorithm default was md5
prompt = no
string_mask = nombstr #
permitted characters
distinguished_name = req_distinguished_name
# suggest was root_ca__distinguished_name
attributes = req_attributes #
section used when generating cert
x509_extensions = v3_ca #
section ext to add to generated certs
req_extensions = v3_req # [non CA]
Used when requesting certs,
# adds more
extnsions to cert request
###########
# below section not used right now
#[ root_ca_distinguished_name ]
#commonName = FistOfIron MO
#countryName = US
#stateOrProvinceName = Atlantai
#localityName = St.Louis
#0.organizationName = fistofiron.org
#emailAddress = [EMAIL PROTECTED]
#####################
[ req_distinguished_name ] # options needed to
generate a certificate
# Variable name Prompt string
#-------------------------
----------------------------------
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full
name)
localityName = Locality Name (city,
district)
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name
(department, division)
commonName = Common Name (FQDN, hostname,
IP, or your name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64 #original cnf
file from install had 64/sample had 40
# default values for above
countryName_default = US
stateOrProvinceName_default = Atlanta
localityName_default = GC, GA
0.organizationName_default = Fist of Iron
organizationalUnitName_default = testpersonalmail
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization
Name (eg, company)
#1.organizationName_default = CryptSoft Pty Ltd
[ usr_cert ] # options used by CA to sign
other certs
# These extensions are added when 'ca' signs a
request.
# This goes against PKIX guidelines but some CAs do it
and some software
# requires this to avoid interpreting an end user
certificate as a CA.
basicConstraints=CA:FALSE # false meaning this
cert cannot be used as CA cert
# to sign other certs,
for e.g.
# PKIX recommendations harmless if included in all
certificates.
subjectKeyIdentifier=hash # specifies how to
identify the key being certified/signed
authorityKeyIdentifier=keyid,issuer:always # how
to identify the pub key used to verfy sign
# on
this (user) key
nsComment = OpenSSL_from_
nsCaRevocationUrl =
https://www.COMPANYNAME.com/ca-crl.pem # revoc url for
the root CA cert
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ v3_ca ] # options used for creating CA
cert
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
# This is what PKIX recommends but some broken
software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:TRUE
# commented out defaults...
#keyUsage = cRLSign,keyCertSign #although
typical for a CA
#nsCertType = sslCA,emailCA
#subjectAltName = email:copy #even though
recommanded by PKIX
#issuerAltName = issuer:copy #even though
recommanded by PKIX
#obj = DER:02:03 #experts only.
introduces an ext in Hex with DER
[ v3_req ] # options used for adding a
certificate request.
basicConstraints = CA:FALSE # meaning this
cert is not for doing CA job
subjectKeyIdentifier = hash # how to
identify this cert
[ req_attributes ]
challengePassword = A challenge password
# displays this text
challengePassword_min = 4
# min length allowed
challengePassword_max = 20
# max length allowed
unstructuredName = optional company
name # displays this text
[ x509v3_extensions ] # these are used to
sign or request certs
nsCaRevocationUrl =
http://www.fistofiron.com/ca-crl.pem
nsComment = "Fist of Iron owns
its own CA and signs its own certs"
# under ASN.1, the 0 bit would be encoded as 80
nsCertType = 0x40
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
#nsCertSequence
#nsCertExt
#nsDataType
$
Please advice what is going wrong?
Thank you.
-BG
________________________________
~~Kalyan-mastu~~
