Hello,
I'm getting this error message when trying to create a .p12 file:
32441:error:0D0BA041:asn1 encoding routines:ASN1_STRING_set:malloc
failure:asn1_lib.c:381:
32441:error:0B08A041:x509 certificate
routines:X509_ATTRIBUTE_set1_data:malloc failure:x509_att.c:317:
This output has been produced by my 'authority' in a Makefile. This is how to
reproduce the error:
1) Place all the four included files in one directory.
2) make init
3) make something.cli.p12
4) Go through the prompts. The final stage (pkcs12) will fail.
A simple list of what the Makefile can do:
make help
I tried to remove all the UTF-8 related stuff (-utf8 options, strings with
Czech characters in config files), but it didn't help. That makes me think this
could be a bug.
Best regards,
Andrej Podzimek
# A simple CA interface for openssl. See make help for details.
ifeq ($(length),)
length = 2048
endif
ifneq ($(cipher),)
usecipher = "-$(cipher)"
endif
init:
@echo
@echo '>>> Generating a certification authority <<<'
@echo
@test ! -f serial
@mkdir crl newcerts private
@chmod go-rwx private
@echo '01' > serial
@touch index
@openssl req -utf8 -nameopt oneline,-esc_msb -nodes -config
openssl_auth.cnf -days 1825 -x509 -newkey rsa:2048 -out ca-cert.pem -outform PEM
revoke:
ifeq ($(cert),)
@echo 'Usage: make revoke cert=<cert_filename>'
@exit 1
endif
@echo
@echo '>>> Revoking the certificate <<<'
@echo
@openssl ca -utf8 -config openssl_auth.cnf -revoke $(cert)
@$(MAKE) gencrl
gencrl:
@echo
@echo '>>> Generating the Certificate Revocation List <<<'
@echo
@openssl ca -utf8 -config openssl_auth.cnf -gencrl -out ca-crl.pem
clean:
@echo
@echo '>>> Cleaning all leftover files <<<'
@echo
@rm -rf *.key *.req *.crt *.p12
cleanauth: clean
@echo
@echo '>>> Removing the certification authority <<<'
@echo
@rm -Rf crl newcerts private
@rm -rf ca-cert.pem ca-crl.pem index* serial*
%.key:
ifeq ($(usecipher),)
@echo 'Warning: No cipher selected! Unencrypted certificates are not
safe for personal use.'
@until [ "$$answer" = 'yes' -o "$$answer" = 'no' ]; do\
echo -n 'Proceed? (yes|no) ';\
read answer;\
done;\
if [ "$$answer" = 'no' ]; then exit 2; fi
endif
@echo
@echo '>>> Generating a key <<<'
@echo
@openssl genrsa $(usecipher) -out $@ $(length)
%.req: private.key
@echo
@echo '>>> Generating a certificate request <<<'
@echo
@openssl req -utf8 -nameopt oneline,-esc_msb -config openssl_crt.cnf
-new -newhdr -days 365 -outform PEM -key private.key -out $@
@mv private.key ${@:.req=.key}
%.cli.crt: new.req
@echo
@echo '>>> Signing the EAP client certificate request <<<'
@echo
@openssl ca -utf8 -config openssl_auth.cnf -in new.req -out $@
-extensions xpclient_ext -extfile xpextensions
@[ -f $@ ] && rm new.req
@mv new.key ${@:.crt=.key}
%.svr.crt: new.req
@echo
@echo '>>> Signing the EAP server certificate request <<<'
@echo
@openssl ca -utf8 -config openssl_auth.cnf -in new.req -out $@
-extensions xpserver_ext -extfile xpextensions
@[ -f $@ ] && rm new.req
@mv new.key ${@:.crt=.key}
%.crt: new.req
@echo
@echo '>>> Signing the certificate request <<<'
@echo
@openssl ca -utf8 -config openssl_auth.cnf -in new.req -out $@
@[ -f $@ ] && rm new.req
@mv new.key ${@:.crt=.key}
%.cli.p12: cert.cli.crt
@echo
@echo '>>> Making a pkcs12 EAP client certificate package <<<'
@echo
@openssl pkcs12 -export -name "Podzimek CA" -in cert.cli.crt -inkey
cert.cli.key -certfile ca-cert.pem -out $@
@rm cert.cli.key
@mv cert.cli.crt ${@:.p12=.crt}
%.svr.p12: cert.svr.crt
@echo
@echo '>>> Making a pkcs12 EAP server certificate package <<<'
@echo
@openssl pkcs12 -export -name "Podzimek CA" -in cert.svr.crt -inkey
cert.svr.key -certfile ca-cert.pem -out $@
@rm cert.svr.key
@mv cert.svr.crt ${@:.p12=.crt}
%.p12: cert.crt
@echo
@echo '>>> Making a pkcs12 certificate package <<<'
@echo
@openssl pkcs12 -export -name "Podzimek CA" -in cert.crt -inkey
cert.key -certfile ca-cert.pem -out $@
@rm cert.key
@mv cert.crt ${@:.p12=.crt}
help:
@echo
@echo 'make init'
@echo ' - required initial setup command for new CA'
@echo
@echo 'make cleanauth'
@echo ' - removes all leftover files'
@echo ' - removes all the CA data, including keys and database'
@echo ' - USE WITH CAUTION!'
@echo
@echo 'make filename.key [cipher=<cipher_option>]'
@echo ' - creates a private key'
@echo
@echo 'make filename.req [cipher=<cipher_option>]'
@echo ' - creates a private key'
@echo ' - creates a certificate request based on the key'
@echo
@echo 'make filename.crt [cipher=<cipher_option>]'
@echo ' - creates a private key'
@echo ' - creates a certificate request based on the key'
@echo ' - signs the certificate request'
@echo
@echo 'make filename.cli.crt [cipher=<cipher_option>]'
@echo ' - same as above, but adds data required by the Windows
supplicant'
@echo ' - to be used for EAP-TLS on client side'
@echo
@echo 'make filename.svr.crt [cipher=<cipher_option>]'
@echo ' - same as above, this time for EAP-TLS server side'
@echo
@echo 'make filename.p12 cipher=<cipher_option>'
@echo ' - creates a private key'
@echo ' - creates a certificate request based on the key'
@echo ' - signs the certificate request'
@echo ' - creates a pkcs12 package based on the signed request'
@echo ' - please see man openssl for a list of available cipher
options (des3 recommended)'
@echo
@echo 'make filename.cli.p12 cipher=<cipher_option>'
@echo ' - same as above, but adds data required by the Windows
supplicant'
@echo ' - to be used for EAP-TLS on client side'
@echo
@echo 'make filename.svr.p12 cipher=<cipher_option>'
@echo ' -same as above, this time form EAP-TLS server side'
@echo
@echo 'make revoke cert=<cert_filename>'
@echo ' - revokes certificate in named file and calls gencrl'
@echo
@echo 'make gencrl'
@echo ' - updates Certificate Revocation List (CRL)'
@echo
@echo 'make clean'
@echo ' - removes all leftover files'
@echo ' - Make sure you SAVE all your new certificates first!'
@echo
# $Id: openssl.cnf,v 1.2 2004/01/22 19:27:32 jmates Exp $
#
# OpenSSL configuration file for custom Certificate Authority. Use a
# different openssl.cnf file to generate certificate signing requests;
# this one is for use only in Certificate Authority operations (csr ->
# cert, cert revocation, revocation list generation).
#
# Be sure to customize this file prior to use, e.g. the commonName and
# other options under the root_ca_distinguished_name section.
HOME = .
RANDFILE = $ENV::HOME/.rnd
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = .
# unsed at present, and my limited certs can be kept in current dir
#certs = $dir/certs
new_certs_dir = $dir/newcerts
crl_dir = $dir/crl
database = $dir/index
certificate = $dir/ca-cert.pem
serial = $dir/serial
crl = $dir/ca-crl.pem
private_key = $dir/private/ca-key.pem
RANDFILE = $dir/private/.rand
x509_extensions = usr_cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = "oneline,-esc_msb"
cert_opt = ca_default
default_crl_days= 30
default_days = 365
# if need to be compatible with older software, use weaker md5
default_md = sha1
# MSIE may need following set to yes?
preserve = no
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_charon
[ policy_charon ]
countryName = supplied
stateOrProvinceName = optional
localityName = supplied
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the CA policy
#[ policy_match ]
#countryName = match
#stateOrProvinceName = match
#organizationName = match
#organizationalUnitName = optional
#commonName = supplied
#emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
#[ policy_anything ]
#countryName = optional
#stateOrProvinceName = optional
#localityName = optional
#organizationName = optional
#organizationalUnitName = optional
#commonName = supplied
#emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
default_keyfile = ./private/ca-key.pem
default_md = sha1
prompt = no
distinguished_name = root_ca_distinguished_name
x509_extensions = v3_ca
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = utf8only
# req_extensions = v3_req
[ root_ca_distinguished_name ]
commonName = Podzimek CA
countryName = CZ
#stateOrProvinceName =
localityName = ZlÃÂn
0.organizationName = podzimek.org
organizationalUnitName = podzimek.org
emailAddress = [EMAIL PROTECTED]
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
nsCaRevocationUrl = https://ca.podzimek.org/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
#oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
#[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
#[ ca ]
#default_ca = CA_default # The default ca section
####################################################################
#[ CA_default ]
#dir = ./demoCA # Where everything is kept
#certs = $dir/certs # Where the issued certs are kept
#crl_dir = $dir/crl # Where the issued crl are kept
#database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
#new_certs_dir = $dir/newcerts # default place for new certs.
#certificate = $dir/cacert.pem # The CA certificate
#serial = $dir/serial # The current serial number
#crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1
CRL
#crl = $dir/crl.pem # The current CRL
#private_key = $dir/private/cakey.pem # The private key
#RANDFILE = $dir/private/.rand # private random number file
#x509_extensions = usr_cert # The extentions to add to the
cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
#name_opt = ca_default # Subject Name options
#cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
#default_days = 365 # how long to certify for
#default_crl_days= 30 # how long before next CRL
#default_md = sha1 # which md to use.
#preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
#policy = policy_match
# For the CA policy
#[ policy_match ]
#countryName = match
#stateOrProvinceName = match
#organizationName = match
#organizationalUnitName = optional
#commonName = supplied
#emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
#[ policy_anything ]
#countryName = optional
#stateOrProvinceName = optional
#localityName = optional
#organizationName = optional
#organizationalUnitName = optional
#commonName = supplied
#emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
#default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
#attributes = req_attributes
#x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or 8Strings
# so use this option with caution!
string_mask = utf8only
req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CZ
countryName_min = 2
countryName_max = 2
#stateOrProvinceName = State or Province Name (full name)
#stateOrProvinceName_default =
localityName = Locality Name (eg, city)
localityName_default = ZlÃÂn
0.organizationName = Organization Name (eg, company)
0.organizationName_default = podzimek.org
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = podzimek.org
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
# SET-ex3 = SET extension number 3
#[ req_attributes ]
#challengePassword = A challenge password
#challengePassword_min = 4
#challengePassword_max = 20
#unstructuredName = An optional company name
#[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
#basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
#nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
#subjectKeyIdentifier=hash
#authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
#[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
#subjectKeyIdentifier=hash
#authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
#basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
#[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
#authorityKeyIdentifier=keyid:always,issuer:always
#[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
#basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
#nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
#subjectKeyIdentifier=hash
#authorityKeyIdentifier=keyid,issuer:always
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This really needs to be in place for it to be a proxy certificate.
#proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
[xpclient_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[xpserver_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
