Hello Gurus, for last two years I was using SSL certificate for my web server, generated by TinyCA. As it has expired two days ago, I tried to renew it, but this is the error message I get:
===== /usr/bin/openssl ca -batch -passin env:SSLPASS -notext -config /home/grzes/.TinyCA/ca.my.com/openssl.cnf -name server_ca -in "/home/grzes/.TinyCA/ca.my.com/req/xxxxxx.pem" -days 365 -preserveDN -md md5 Using configuration from /home/grzes/.TinyCA/ca.my.com/openssl.cnf Error Loading extension section server_cert 11829:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:329:group=server_ca name=email_in_dn 11829:error:2207507C:X509 V3 routines:v2i_GENERAL_NAME_ex:missing value:v3_alt.c:432: 11829:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:93:name=subjectAltName, value=dummy ===== Year ago the renewal procedure worked without problems, and I did not change the configuration of neither openssl nor TinyCA (at least in my awareness), so the only thing I suspect is that something has changed in behaviour of openssl (or, less probable, in TinyCA) during updates that was done in last year. Any idea? Currently I'm using openssl-0.9.8d and tinyca-2.0.7.5 on Gentoo. Here's /home/grzes/.TinyCA/ca.my.com/openssl.cnf: ===== [ ca ] default_ca = server_ca [ policy_client ] countryName = optional stateOrProvinceName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_server ] countryName = optional stateOrProvinceName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_ca ] [ req ] default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca string_mask = nombstr req_extensions = v3_req [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = AU countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Some-State localityName = Locality Name (eg, city) 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Internet Widgits Pty Ltd organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (eg, YOUR name) commonName_max = 64 emailAddress = Email Address emailAddress_max = 40 [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name [ v3_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = critical,CA:true nsCertType = sslCA, emailCA issuerAltName = issuer:copy nsComment = "TinyCA Generated Certificate" subjectAltName = email:copy keyUsage = critical, keyCertSign [ crl_ext ] authorityKeyIdentifier = keyid:always,issuer:always [ server_ca ] dir = /home/grzes/.TinyCA/ca.my.com certs = $dir/certs crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/cacert.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/cacert.key RANDFILE = $dir/.rand x509_extensions = server_cert default_days = 365 default_crl_days = 30 default_md = md5 preserve = no policy = policy_server unique_subject = yes [ client_ca ] dir = /home/grzes/.TinyCA/ca.my.com certs = $dir/certs crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/cacert.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/cacert.key RANDFILE = $dir/.rand x509_extensions = client_cert default_days = 365 default_crl_days = 30 default_md = md5 preserve = no policy = policy_client unique_subject = yes [ ca_ca ] dir = /home/grzes/.TinyCA/ca.my.com certs = $dir/certs crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/cacert.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/cacert.key RANDFILE = $dir/.rand x509_extensions = server_cert default_days = 365 default_crl_days = 30 default_md = md5 preserve = no policy = policy_server unique_subject = yes [ client_cert ] basicConstraints = CA:FALSE nsCertType = client, email, objsign nsComment = "TinyCA Generated Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always issuerAltName = issuer:copy subjectAltName = email:copy keyUsage = critical, digitalSignature, keyEncipherment [ server_cert ] basicConstraints = CA:FALSE nsCertType = server nsComment = "TinyCA Generated Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always issuerAltName = issuer:copy subjectAltName = $ENV::SUBJECTALTNAMEIP ===== Thanks in advance, Grzes ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
