172744 – openssl ca command generates errors when signing pem certificate signing requests

Bug 172744 - openssl ca command generates errors when signing pem certificate signing requests

Summary: openssl ca command generates errors when signing pem certificate signing requ...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	openssl
Sub Component:
Version:	4
Hardware:	i686
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Tomas Mraz
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-11-08 23:01 UTC by Steven Stromer
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-11-08 23:40:14 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Steven Stromer 2005-11-08 23:01:31 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/312.5.1 (KHTML, like Gecko) Safari/312.3.1

Description of problem:

Default /etc/pki/tls/openssl.cnf [CA_default] settings cause 'openssl ca' commands to generate errors,
even when the value of the 'dir' attribute in this section is hard coded, and clearly starting in the correct
directory. Some of the errors include:

1. Not being able to locate the directory set by the 'crl_dir' attribute;
2. Not being able to locate index.txt, as set by the 'database' attribute;
3. Not being able to locate the directory set by the 'serial' attribute;
4. Not being able to locate crl.pem, as set by the 'crl' attribute.

The paths and files being called simply do not exist in the newly installed (and fairly 'vanilla' ) FC4
installation where these errors are being generated. Is this being caused by a failure to install some
additional package, are the settings in the .cnf file incorrect, are actual files and directories missing, or
are the commands simply incorrect in their syntax?

Version-Release number of selected component (if applicable):
openssl-0.9.7f-7.10.i686

How reproducible:
Always

Steps to Reproduce:
As root user:

1. Generate CA key and cert works successfully:
openssl req -config /etc/pki/tls/openssl.cnf -new -x509 -keyout /etc/pki/tls/private/cakey.pem -out
/etc/pki/tls/certs/cacert.pem -days 3650

2. Export public part from full cert works successfully:
openssl x509 -in /etc/pki/tls/certs/cacert.pem -out /etc/pki/tls/certs/cacert.crt

3. Generate host key and request for host cert works successfully:
openssl req -config /etc/pki/tls/openssl.cnf -new -keyout [FQDN].request.pem -out
[FQDN].request.pem -days 730

(Seems a little strange to output both key and csr to same file, but this is documented in a few locations
on the web...Also, the same errors are generated even when a seperate key and csr are created.)

4. Sign host key with CA key fails with numerous errors:
openssl ca -config /etc/pki/tls/openssl.cnf -policy policy_anything -out [FQDN].pem -infiles
[FQDN].request.pem

Actual Results: Activity fails to complete with errors as described above.

Expected Results: Successful signing of host ssl certificate by self-generated CA.

Additional info:

For a self assigned CA this is not a major, and immediate security problem, but for a larger CA, this
could become a valid security issue. If anyone qualified feels that the severity should be upgraded,
please do so. I do not feel qualified to mark this bug at a 'security' severity level.

Comment 1 Tomas Mraz 2005-11-08 23:40:14 UTC

The openssl ca command expects some preset directories and files.

There is CA script which works fine for me:
cd /etc/pki/tls/misc
./CA -h

Why this should be a security issue anyway?

Note You need to log in before you can comment on or make changes to this bug.