Hello,
although i have setup the default country_code to 2 characters only ("US"). I
was not able to find out why, am i getting below error, while trying to setup
my own CA:
# openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out
cacert.pem
Generating a 2048 bit RSA private key
..+++
.........................................................................................+++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
problems making Certificate Request
13175:error:0D07A097:asn1 encoding routines:ASN1_mbstring_copy:string too
long:/usr/src/lib/libssl/src/crypto/asn1/a_mbstr.c:154:maxsize=2
#
file permissions:
# pwd
/etc/ssl
# ls -ltr
total 348
drwxr-xr-x 2 root wheel 512 Aug 28 11:00 lib
-r--r--r-- 1 root bin 895 Aug 28 11:00 x509v3.cnf
-r--r--r-- 1 root bin 151917 Aug 28 11:00 cert.pem
drwxr-xr-x 4 root wheel 512 Nov 21 23:00 orig.dir.with.contents
drwxr-xr-x 2 root wheel 512 Nov 25 21:01 crl
drwxr-xr-x 2 root wheel 512 Nov 25 21:01 newcerts
-rw-r--r-- 1 root wheel 0 Nov 25 21:01 certindex.txt
-rw-r--r-- 1 root wheel 7 Nov 25 21:01 serial
drwxr-xr-x 2 root wheel 512 Nov 27 22:23 issuedcerts
-r--r--r-- 1 root bin 6889 Dec 6 10:50 openssl.cnf
drwx------ 2 root wheel 512 Dec 9 00:12 private
# ls -l private
total 4
-rw-r--r-- 1 root wheel 1743 Dec 9 00:13 cakey.pem
# ls -l issuedcerts
# ls -l newcerts
#
here is my config file:
$ cat /etc/ssl/openssl.cnf
#
# OpenSSL example configuration file.
# This is mostly being used for generation ofcertificate requests.
# Plus,
# I have configured it for generating CA cert too.
#
RANDFILE = /dev/arandom
dir = /etc/ssl # working dir
for all operations
[ ca ] # section for CA settings
default_ca = CA_default # default CA
settings section title
[ CA_default ] # default settings for CA
certs = $dir/issuedcerts # dir to keep issued
certificates
new_certs_dir = $dir/newcerts # dir for new certs
crl_dir = $dir/crl # dir for issued cert revoc
lists
serial = $dir/serial # file contains the current
serial no.
database = $dir/certindex.txt # certificate database index
file
crl = $dir/crl/ca-crl.pem # the current CRL
certificate = $dir/ca-cert.pem # file containing CA certificate
private_key = $dir/private/ca-key.pem # the private key
corrosponding
# to CA certificate
default_days = 3650 # valid for 10 years
default_md = sha1 # md5 for older software and
is weaker
preserve = no # whether to preserve the
order of DN
# fields to match the order
passed in
email_in_dn = no
policy = policy_match # section to tell which fields
in certs
# must match that of CA, or are
mandetory
x509_extensions = usr_cert # directives for CA when
signing a cert
# Make new requests easier to sign - allow two subjects with same name
# (Or revoke the old certificate first.)
unique_subject = no
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
nameopt = default_ca
certopt = default_ca
[ policy_match ] # OIDs that must be same as that of CA
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types. All values are system default.
[ policy_anything ] # all possible options for policy...
countryName = optional
stateOrProvinceName = optional
localityName = optional # this is not in policy_match section
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
#######################################
# the req section is used by openssl req command, it creates and process
# certificate requests in PKCS#10 format. also creates self signed certs
# for use as root CA.
[ req ] # directives to process and create cert requests
default_bits = 2048 # key size for new cert request
default_keyfile = privkey.pem # def key name for any newely
generated cert
default_md = sha1 # message digest algorithm
default was md5
prompt = no
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name # suggest was
root_ca__distinguished_name
attributes = req_attributes # section used when generating
cert
x509_extensions = v3_ca # section ext to add to
generated certs
req_extensions = v3_req # [non CA] Used when requesting certs,
# adds more extnsions to cert request
###########
# below section not used right now
#[ root_ca_distinguished_name ]
#commonName = FistOfIron USA
#countryName = US
#stateOrProvinceName = Atlanta
#localityName = Decatur
#0.organizationName = fistofiron.org
#emailAddress = [EMAIL PROTECTED]
#####################
[ req_distinguished_name ] # options needed to
generate a certificate
# Variable name Prompt string
#-------------------------
----------------------------------
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (fullname)
localityName = Locality Name (city,district)
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name(department, division)
commonName = Common Name (FQDN, hostname,IP, or your name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64 #original cnf file from install had
64/sample had 40
# default values for above
countryName_default = US
stateOrProvinceName_default = Atlanta
localityName_default = Decatur, GA
0.organizationName_default = Fist of Iron
organizationalUnitName_default = testpersonalmail
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = CryptSoft Pty Ltd
[ usr_cert ] # options used by CA to sign other certs
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE # false meaning this cert cannot be used as CA
cert
# to sign other certs, for e.g.
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash # specifies how to identify the key being
certified/signed
authorityKeyIdentifier=keyid,issuer:always # how to identify the pub key
used to verfy sign
# on this (user) key
nsComment = OpenSSL_from_fistofiron
nsCaRevocationUrl = https://www.COMPANYNAME.com/ca-crl.pem # revoc url
for the root CA cert
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ v3_ca ] # options used for creating CA cert
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:TRUE
# commented out defaults...
#keyUsage = cRLSign,keyCertSign #although typical for a CA
#nsCertType = sslCA,emailCA
#subjectAltName = email:copy #even though recommanded by PKIX
#issuerAltName = issuer:copy #even though recommanded by PKIX
#obj = DER:02:03 #experts only. introduces an ext in Hex
with DER
[ v3_req ] # options used for adding a certificate request.
basicConstraints = CA:FALSE # meaning this cert is not for doing CA
job
subjectKeyIdentifier = hash # how to identify this cert
[ req_attributes ]
challengePassword = A challenge password # displays this text
challengePassword_min = 4 # min length allowed
challengePassword_max = 20 # max length allowed
unstructuredName = optional company name # displays this text
[ x509v3_extensions ] # these are used to sign or request certs
nsCaRevocationUrl = http://www.fistofiron.com/ca-crl.pem
nsComment = "Fist of Iron owns its own CA and signs its
own certs"
# under ASN.1, the 0 bit would be encoded as 80
nsCertType = 0x40
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
#nsCertSequence
#nsCertExt
#nsDataType
$
Please advice what is going wrong?
Thank you.
-BG
________________________________
~~Kalyan-mastu~~
