Re: libressl on OpenBSD7.3 - x509_extensions crlDistributionPoints being ignored

Wed, 27 Sep 2023 10:16:20 -0700 


> On Sep 26, 2023, at 11:33 PM, stephane Tranchemer <stran...@free.fr> wrote:
> 
>>> 
>>> Another trouble I found, maybe it's my conf again(?) is that I am unable to
>>> use a section to call out to define common options for x509extensions.
>>> Example, this does not work:
>>> 
>>> [ ca ] default_ca = Domain-CA [ Domain-CA ] ... x509_extensions =
>>> common_options
>>> 
>>> [ common_options ] crlDistributionPoints =
>>> URI:http://my_machine_fqdn/crl/root.crl nsComment = "Generated Certificate
>>> for Company" subjectKeyIdentifier = hash authorityKeyIdentifier =
>>> keyid,issuer
>>> 
>> Please work this into an example explaining in detail what you expect to
>> see and what you do see and what commands you run.
> Sorry the formating has gone south
> So, create a config.cnf file for a CA like this (I don't include all 
> settings, there are many examples on the web)
> [ ca ]
> default_ca = Domain-CA
> 
> [ Domain-CA ]
> ...
> x509_extensions = common_options
> [ common_options ]
> crlDistributionPoints = URI:http://my_machine_FQDN/crl/root.crl
> nsComment = "OpenSSL Generated Certificate for Company"
> subjectKeyIdentifier=hash
> authorityKeyIdentifier=keyid,issuer
> [ v3_ca ]
> basicConstraints = CA:true
> 
> Create your CA, the root certificate, its key, its CRL ... 
> Create a CSR to ask this CA to generate a certificate for you. In my case I 
> use this ROOT-CA to only generate a certificate for a Subordinate-CA that 
> handles all the certificates generation
> # openssl ca -config config.cnf -extensions v3_ca -days 375 -notext -md 
> sha256 -keyfile /etc/ROOT-CA/private/ca.key -in SUBORDINATE-CA.csr -out 
> SUBORDINATE-CA.crt
> Once generated look into this new certificate, what you can see at this point 
> is that there is no x509 extensions in there.
> # openssl x509 -in SUBORDINATE-CA.crt -text -noout
> 
> If you put the crlDistributionPoints in the [ v3_ca ] segment then it will be 
> part of the certificate.

Which would “make sense” because your command above is telling it to use 
-extensions from v3_ca. - So it’s not going to use extensions from where you 
have them in “common_options”. 

Given the comands you are showing above, the betavior you describe is at least 
“consistent” with the openssl commands known insanity. 

























					Reply via email to