使用自定义配置在中加载扩展节v3_OCSP时发生Openssl错误
首先,我一直在关注Raymii.org网站上的“OpenSSL命令行根和中间CA,包括OCSP、CRL和吊销”(请参阅:),并试图将其与xpersguers git hub页面结合,介绍如何构建和测试OCSP响应程序(请参阅:) 似乎一切正常,但我在为OCSP服务器证书请求新证书时遇到了一个问题:使用自定义配置在中加载扩展节v3_OCSP时发生Openssl错误,openssl,ocsp,Openssl,Ocsp,首先,我一直在关注Raymii.org网站上的“OpenSSL命令行根和中间CA,包括OCSP、CRL和吊销”(请参阅:),并试图将其与xpersguers git hub页面结合,介绍如何构建和测试OCSP响应程序(请参阅:) 似乎一切正常,但我在为OCSP服务器证书请求新证书时遇到了一个问题: openssl req -new -sha256 -key ./private/ocsrv.key -out ./csr/oc- srv.csr -subj '/C=US/ST=CA/L=Turloc
openssl req -new -sha256 -key ./private/ocsrv.key -out ./csr/oc-
srv.csr -subj '/C=US/ST=CA/L=Turlock/O=BouncingAnvils/OU=Production
/CN=OCSPServer' -config ./openssl.cnf -extensions v3_OCSP
OpenSSL配置(./OpenSSL.cnf)文件如下所示
# vim ca.conf
[ca]
default_ca = default_ca
[crl_ext]
issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
[default_ca]
dir = ./
new_certs_dir = $dir/newcerts
unique_subject = no
certificate = $dir/certs/ocsp-rootca.crt
database = $dir/certindex
private_key = $dir/private/ocsp-rootca.key
serial = $dir/certserial
default_days = 3650
default_md = sha1
policy = ca_policy
x509_extensions = ca_extensions
crlnumber = $dir/crlnumber
default_crl_days = 730
[ca_policy]
commonName = supplied
stateOrProvinceName = supplied
countryName = optional
emailAddress = optional
organizationName = supplied
organizationalUnitName = optional
[ca_extensions]
basicConstraints = critical,CA:TRUE
keyUsage = critical,any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
extendedKeyUsage = serverAuth
crlDistributionPoints = @crl_section
subjectAltName = @alt_names
authorityInfoAccess = @ocsp_section
[v3_ca]
basicConstraints = critical,CA:TRUE,pathlen:0
keyUsage = critical,any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
extendedKeyUsage = serverAuth
crlDistributionPoints = @crl_section
subjectAltName = @alt_names
authorityInfoAccess = @ocsp_section
[v3_OCSP]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = OCSPSigning
[alt_names]
DNS.0 = OCVPN Intermidiate CA 1
DNS.1 = OCVPN CA Intermidiate 1
[crl_section]
URI.0 = http://xxxxxx/ocvproot.crl
URI.2 = http://xxxxx/ocvproot.crl
[ocsp_section]
caIssuers;URI.0 = http://xxxxx/ocsp-root-ca.crt
caIssuers;URI.1 = http://xxxxxx/ocsp-root-ca.crt
OCSP;URI.0 = http://xxxxxx:59388
OCSP;URI.1 = http://xxxxxx:59388
错误是:
$> openssl req -new -sha256 -key ./private/ocsrv.key -out ./csr/oc
srv.csr -subj '/C=US/ST=CA/L=Turlock/O=BouncingAnvils/OU=Production
/CN=OCSPServer' -extensions v3_OCSP
Error Loading extension section v3_OCSP
$>
如果我包括了-config选项,由于没有“req\u distinguised\u name”部分,我会得到一些我期待的东西
$> openssl req -new -sha256 -key ./private/ocsrv.key -out ./csr/ocsrv.csr -subj '/C=US/ST=CA/L=Turlock/O=BouncingAnvils/OU=Production
/CN=OCSPServer' -extensions v3_OCSP-config ./openssl.cnf
unable to find 'distinguished_name' in config
problems making Certificate Request
$>140084133627552:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:335:group=req name=distinguished_name
任何帮助都会很好 我也有同样的问题。我发现openssl for windows需要类似于[ca]、[crl_section]的小写标记(section)名称。我用[v3_OCSP]替换了[v3_OCSP],它成功了