OpenSSL error : 0D09F007
Greetings, We are using OpenSSL with OpenOSP to set up a CA and getting following error. Would greatly appreciate if you can throw some pointers : 22:57:56.499 01 ccmldap.c ccm_lookup_ldap_by_subje 0224 Checking for CA certificate first22:57:56.499 01 ccmldap.c ccm_lookup_ldap_by_subje 0235 Found CA cert; convert to internal format 22:57:56.499*01*ccmldap.c *ccm_lookup_ldap_by_subje*0245*Failed to convert ASN.1 CA cert22:57:56.499*01*ccmldap.c *ccm_lookup_ldap_by_subje*0245*OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence22:57:56.499 01 ccmldap.c ccm_lookup_ldap_by_subje 0445 )) Unlocking ccm.ldap.access_mutex22:57:56.499 01 ccmldap.c ccm_lookup_ldap_by_subje 0445 Unlocked ccm.ldap.access_mutex The commands used to create certificate are as per attached make_ca.sh file. The other attached files are decoded certificate, openssl.cnf and openosp.cnf file that we are using in our setup. Kindly let me know what possibly could be wrong. Best Regards, Rajat Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. # # OpenSSL example configuration file. # This is mostly being used for generation of certificate requests. # # This definition stops the following lines choking if HOME isn't # defined. HOME= . RANDFILE= /usr/openosp/random #RANDFILE = $ENV::HOME/.rnd # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid oid_section = new_oids # To use this configuration file with the -extfile option of the # openssl x509 utility, name here the section containing the # X.509v3 extensions to use: # extensions= # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) [ new_oids ] # We can add new OIDs in here for use by 'ca' and 'req'. # Add a simple OID like this: # testoid1=1.2.3.4 # Or use config file substitution like this: # testoid2=${testoid1}.5.6 [ ca ] default_ca = CA_default# The default ca section [ CA_default ] dir = ./demoCA # Where everything is kept certs = $dir/certs# Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database= $dir/index.txt# database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE= $dir/private/.rand# private random number file x509_extensions = usr_cert # The extentions to add to the cert name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crl_extensions= crl_ext default_days= 365 # how long to certify for default_crl_days= 30# how long before next CRL default_md = md5 # which md to use. preserve= no# keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match # For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName= match organizationalUnitName = optional commonName = supplied emailAddress= optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName= optional organizationName= optional organizationalUnitName = optional commonName = supplied emailAddress= optional [ req ] default_bits= 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert # Passwords for private keys if not present
OpenSSL error : 0D09F007
Greetings, We are using OpenSSL with OpenOSP to set up a CA and getting following error while initializing the OSP server. Wewould greatly appreciate if you can throw some pointers : 22:57:56.499 01 ccmldap.c ccm_lookup_ldap_by_subje 0224 Checking for CA certificate first22:57:56.499 01 ccmldap.c ccm_lookup_ldap_by_subje 0235 Found CA cert; convert to internal format 22:57:56.499*01*ccmldap.c *ccm_lookup_ldap_by_subje*0245*Failed to convert ASN.1 CA cert22:57:56.499*01*ccmldap.c *ccm_lookup_ldap_by_subje*0245*OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence22:57:56.499 01 ccmldap.c ccm_lookup_ldap_by_subje 0445 )) Unlocking ccm.ldap.access_mutex22:57:56.499 01 ccmldap.c ccm_lookup_ldap_by_subje 0445 Unlocked ccm.ldap.access_mutex The commands used to create certificate are as per attached make_ca.sh file. The other attached files are decoded certificate, openssl.cnf and openosp.cnf file that we are using in our setup. Kindly let me know what possibly could be wrong. Best Regards, Rajat Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. openssl.cnf Description: openssl.cnf openosp.cnf Description: openosp.cnf # ./openssl x509 -in /usr/openosp/cacert.der -inform der -text Certificate: Data: Version: 3 (0x2) Serial Number: 5 (0x5) Signature Algorithm: md5WithRSAEncryption Issuer: C=IN, O=Wipro, CN=OSPServer Validity Not Before: Nov 15 11:27:44 2005 GMT Not After : Nov 15 11:27:44 2015 GMT Subject: C=IN, O=Wipro, CN=OSPServer Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:cd:3e:e1:99:34:39:de:7e:5a:63:ab:65:7c:5f: 0d:14:6a:1a:00:89:91:32:35:64:67:b2:20:4e:9c: f2:c0:13:f6:ab:e6:6d:a0:53:a7:23:d8:66:49:49: 2e:56:11:36:94:dc:d9:88:cf:34:d6:f1:4a:ff:41: 64:27:3d:3c:07:2c:a8:fa:81:82:7b:60:4e:7e:8b: 5a:0f:19:ad:7d:3d:b8:cc:7f:57:17:11:89:a8:e5: b7:cf:00:70:9b:b4:ab:4c:e2:fc:d1:a5:3a:ac:66: 00:e1:bc:61:a8:5d:20:59:f0:fd:ca:e9:07:91:f1: de:91:16:6f:d1:2d:2e:29:d9 Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption c7:17:f5:b4:e2:f5:0d:bd:f5:17:7c:77:e2:1e:56:40:78:13: 34:52:d8:4f:be:43:24:d1:c2:3d:3f:16:53:0d:14:1e:be:0a: cd:71:59:d3:b0:fd:c4:76:75:b6:72:7e:65:06:f0:e5:34:d1: 16:4c:67:14:eb:0e:52:a8:41:ff:3a:89:82:7d:43:d5:87:aa: 4d:d4:ef:b6:cc:bd:40:e6:ec:c2:cc:e0:b8:90:74:ca:41:ee: ef:85:83:9e:2a:5b:b1:39:00:5d:b4:e1:b8:f8:e6:55:9b:d7: 04:22:0f:f5:14:32:69:31:da:24:6b:6e:f9:9a:6b:29:78:10: 1d:83 -BEGIN CERTIFICATE- MIIB1jCCAT+gAwIBAgIBBTANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJJTjEO MAwGA1UEChMFV2lwcm8xEjAQBgNVBAMTCU9TUFNlcnZlcjAeFw0wNTExMTUxMTI3 NDRaFw0xNTExMTUxMTI3NDRaMDExCzAJBgNVBAYTAklOMQ4wDAYDVQQKEwVXaXBy bzESMBAGA1UEAxMJT1NQU2VydmVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB gQDNPuGZNDneflpjq2V8Xw0UahoAiZEyNWRnsiBOnPLAE/ar5m2gU6cj2GZJSS5W ETaU3NmIzzTW8Ur/QWQnPTwHLKj6gYJ7YE5+i1oPGa19PbjMf1cXEYmo5bfPAHCb tKtM4vzRpTqsZgDhvGGoXSBZ8P3K6QeR8d6RFm/RLS4p2QIDAQABMA0GCSqGSIb3 DQEBBAUAA4GBAMcX9bTi9Q299Rd8d+IeVkB4EzRS2E++QyTRwj0/FlMNFB6+Cs1x WdOw/cR2dbZyfmUG8OU00RZMZxTrDlKoQf86iYJ9Q9WHqk3U77bMvUDm7MLM4LiQ dMpB7u+Fg54qW7E5AF204bj45lWb1wQiD/UUMmkx2iRrbvmaayl4EB2D -END CERTIFICATE- #!/bin/ksh # Shell script: make_ca.sh # # Purpose: Make a CA certificate using OpenSSL commands # # (C) COPYRIGHT DATA CONNECTION LIMITED 2000 # # $Revision:: 1.2$ $Modtime:: Aug 02 2000 10:05:42 $ SSL_PATH=${SSL_PATH:-/usr/local/ssl} # # Create a request # $SSL_PATH/bin/openssl req -new -newkey rsa:1024 -config $SSL_PATH/openssl.cnf \ -out careq.pem -keyout cakey.pem -nodes # # Create a temporary self-signed cert that we can use as a CA cert # $SSL_PATH/bin/openssl x509 -req -in careq.pem -signkey cakey.pem \ -extfile $SSL_PATH/openssl.cnf -extensions v3_ca -out cacert0.pem # # Sign the request using the temporary CA cert that we just made. # This effectively results in another CA cert, but this one has a # serial number. # $SSL_PATH/bin/openssl x509 -req -in careq.pem -CAkey cakey.pem \ -CA cacert0.pem -CAserial serial.txt -CAcreateserial \ -extfile $SSL_PATH/openssl.cnf -extensions v3_ca -days 3652 -outform DER \ -out cacert.der # # Delete the files we no longer need. # rm careq.pem rm cacert0.pem