Red Hat Bugzilla – Bug 172744
openssl ca command generates errors when signing pem certificate signing requests
Last modified: 2007-11-30 17:11:16 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/312.5.1 (KHTML, like Gecko) Safari/312.3.1
Description of problem:
Default /etc/pki/tls/openssl.cnf [CA_default] settings cause 'openssl ca' commands to generate errors,
even when the value of the 'dir' attribute in this section is hard coded, and clearly starting in the correct
directory. Some of the errors include:
1. Not being able to locate the directory set by the 'crl_dir' attribute;
2. Not being able to locate index.txt, as set by the 'database' attribute;
3. Not being able to locate the directory set by the 'serial' attribute;
4. Not being able to locate crl.pem, as set by the 'crl' attribute.
The paths and files being called simply do not exist in the newly installed (and fairly 'vanilla' ) FC4
installation where these errors are being generated. Is this being caused by a failure to install some
additional package, are the settings in the .cnf file incorrect, are actual files and directories missing, or
are the commands simply incorrect in their syntax?
Version-Release number of selected component (if applicable):
Steps to Reproduce:
As root user:
1. Generate CA key and cert works successfully:
openssl req -config /etc/pki/tls/openssl.cnf -new -x509 -keyout /etc/pki/tls/private/cakey.pem -out
/etc/pki/tls/certs/cacert.pem -days 3650
2. Export public part from full cert works successfully:
openssl x509 -in /etc/pki/tls/certs/cacert.pem -out /etc/pki/tls/certs/cacert.crt
3. Generate host key and request for host cert works successfully:
openssl req -config /etc/pki/tls/openssl.cnf -new -keyout [FQDN].request.pem -out
[FQDN].request.pem -days 730
(Seems a little strange to output both key and csr to same file, but this is documented in a few locations
on the web...Also, the same errors are generated even when a seperate key and csr are created.)
4. Sign host key with CA key fails with numerous errors:
openssl ca -config /etc/pki/tls/openssl.cnf -policy policy_anything -out [FQDN].pem -infiles
Actual Results: Activity fails to complete with errors as described above.
Expected Results: Successful signing of host ssl certificate by self-generated CA.
For a self assigned CA this is not a major, and immediate security problem, but for a larger CA, this
could become a valid security issue. If anyone qualified feels that the severity should be upgraded,
please do so. I do not feel qualified to mark this bug at a 'security' severity level.
The openssl ca command expects some preset directories and files.
There is CA script which works fine for me:
Why this should be a security issue anyway?