Bug 172744 - openssl ca command generates errors when signing pem certificate signing requests
openssl ca command generates errors when signing pem certificate signing requ...
Product: Fedora
Classification: Fedora
Component: openssl (Show other bugs)
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2005-11-08 18:01 EST by Steven Stromer
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-11-08 18:40:14 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Steven Stromer 2005-11-08 18:01:31 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/312.5.1 (KHTML, like Gecko) Safari/312.3.1

Description of problem:

Default /etc/pki/tls/openssl.cnf [CA_default] settings cause 'openssl ca' commands to generate errors, 
even when the value of the 'dir' attribute in this section is hard coded, and clearly starting in the correct 
directory. Some of the errors include:

1. Not being able to locate the directory set by the 'crl_dir' attribute;
2. Not being able to locate index.txt, as set by the 'database' attribute;
3. Not being able to locate the directory set by the 'serial' attribute;
4. Not being able to locate crl.pem, as set by the 'crl' attribute.

The paths and files being called simply do not exist in the newly installed (and fairly 'vanilla' ) FC4 
installation where these errors are being generated. Is this being caused by a failure to install some 
additional package, are the settings in the .cnf file incorrect, are actual files and directories missing, or 
are the commands simply incorrect in their syntax? 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
As root user:

1. Generate CA key and cert works successfully:
openssl req -config /etc/pki/tls/openssl.cnf -new -x509 -keyout /etc/pki/tls/private/cakey.pem -out 
/etc/pki/tls/certs/cacert.pem -days 3650

2. Export public part from full cert works successfully:
openssl x509 -in /etc/pki/tls/certs/cacert.pem -out /etc/pki/tls/certs/cacert.crt

3. Generate host key and request for host cert works successfully:
openssl req -config /etc/pki/tls/openssl.cnf -new -keyout [FQDN].request.pem -out 
[FQDN].request.pem -days 730

(Seems a little strange to output both key and csr to same file, but this is documented in a few locations 
on the web...Also, the same errors are generated even when a seperate key and csr are created.)

4. Sign host key with CA key fails with numerous errors:
openssl ca -config /etc/pki/tls/openssl.cnf -policy policy_anything -out [FQDN].pem -infiles 

Actual Results:  Activity fails to complete with errors as described above.

Expected Results:  Successful signing of host ssl certificate by self-generated CA.

Additional info:

For a self assigned CA this is not a major, and immediate security problem, but for a larger CA, this 
could become a valid security issue. If anyone qualified feels that the severity should be upgraded, 
please do so. I do not feel qualified to mark this bug at a 'security' severity level.
Comment 1 Tomas Mraz 2005-11-08 18:40:14 EST
The openssl ca command expects some preset directories and files.

There is CA script which works fine for me:
cd /etc/pki/tls/misc
./CA -h

Why this should be a security issue anyway?

Note You need to log in before you can comment on or make changes to this bug.