使用自定义配置在中加载扩展节v3_OCSP时发生Openssl错误_Openssl_Ocsp

使用自定义配置在中加载扩展节v3_OCSP时发生Openssl错误

openssl

使用自定义配置在中加载扩展节v3_OCSP时发生Openssl错误,openssl,ocsp,Openssl,Ocsp,首先，我一直在关注Raymii.org网站上的“OpenSSL命令行根和中间CA，包括OCSP、CRL和吊销”（请参阅：），并试图将其与xpersguers git hub页面结合，介绍如何构建和测试OCSP响应程序（请参阅：）似乎一切正常，但我在为OCSP服务器证书请求新证书时遇到了一个问题： openssl req -new -sha256 -key ./private/ocsrv.key -out ./csr/oc- srv.csr -subj '/C=US/ST=CA/L=Turloc

首先，我一直在关注Raymii.org网站上的“OpenSSL命令行根和中间CA，包括OCSP、CRL和吊销”（请参阅：），并试图将其与xpersguers git hub页面结合，介绍如何构建和测试OCSP响应程序（请参阅：）

似乎一切正常，但我在为OCSP服务器证书请求新证书时遇到了一个问题：

openssl req -new -sha256 -key ./private/ocsrv.key -out ./csr/oc-
srv.csr -subj '/C=US/ST=CA/L=Turlock/O=BouncingAnvils/OU=Production
/CN=OCSPServer' -config ./openssl.cnf -extensions v3_OCSP

OpenSSL配置（./OpenSSL.cnf）文件如下所示

# vim ca.conf
[ca]
default_ca = default_ca

[crl_ext]
issuerAltName=issuer:copy 
authorityKeyIdentifier=keyid:always

 [default_ca]
 dir = ./
 new_certs_dir = $dir/newcerts
 unique_subject = no
 certificate = $dir/certs/ocsp-rootca.crt
 database = $dir/certindex
 private_key = $dir/private/ocsp-rootca.key
 serial = $dir/certserial
 default_days = 3650
 default_md = sha1
 policy = ca_policy
 x509_extensions = ca_extensions
 crlnumber = $dir/crlnumber
 default_crl_days = 730

 [ca_policy]
 commonName = supplied
 stateOrProvinceName = supplied
 countryName = optional
 emailAddress = optional
 organizationName = supplied
 organizationalUnitName = optional

 [ca_extensions]
 basicConstraints = critical,CA:TRUE
 keyUsage = critical,any
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer
 keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
 extendedKeyUsage = serverAuth
 crlDistributionPoints = @crl_section
 subjectAltName  = @alt_names
 authorityInfoAccess = @ocsp_section

 [v3_ca]
 basicConstraints = critical,CA:TRUE,pathlen:0
 keyUsage = critical,any
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer
 keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
 extendedKeyUsage = serverAuth
 crlDistributionPoints = @crl_section
 subjectAltName  = @alt_names
 authorityInfoAccess = @ocsp_section

 [v3_OCSP]
 basicConstraints             = CA:FALSE
 keyUsage                     = nonRepudiation, digitalSignature, keyEncipherment
 extendedKeyUsage             = OCSPSigning


 [alt_names]
 DNS.0 = OCVPN Intermidiate CA 1
 DNS.1 = OCVPN CA Intermidiate 1

 [crl_section]
 URI.0 = http://xxxxxx/ocvproot.crl
 URI.2 = http://xxxxx/ocvproot.crl

 [ocsp_section]
 caIssuers;URI.0 = http://xxxxx/ocsp-root-ca.crt
 caIssuers;URI.1 =  http://xxxxxx/ocsp-root-ca.crt
 OCSP;URI.0 = http://xxxxxx:59388
 OCSP;URI.1 = http://xxxxxx:59388

错误是：

$> openssl req -new -sha256 -key ./private/ocsrv.key -out ./csr/oc
srv.csr -subj '/C=US/ST=CA/L=Turlock/O=BouncingAnvils/OU=Production
/CN=OCSPServer'  -extensions v3_OCSP
Error Loading extension section v3_OCSP
$>

如果我包括了-config选项，由于没有“req\u distinguised\u name”部分，我会得到一些我期待的东西

$> openssl req -new -sha256 -key ./private/ocsrv.key -out ./csr/ocsrv.csr -subj '/C=US/ST=CA/L=Turlock/O=BouncingAnvils/OU=Production
/CN=OCSPServer'  -extensions v3_OCSP-config ./openssl.cnf 
unable to find 'distinguished_name' in config
problems making Certificate Request
$>140084133627552:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:335:group=req name=distinguished_name

任何帮助都会很好

我也有同样的问题。我发现openssl for windows需要类似于[ca]、[crl_section]的小写标记（section）名称。我用[v3_OCSP]替换了[v3_OCSP]，它成功了