首先,我一直关注Raymii.org网站上的OpenSSL命令行Root和Intermediate CA,包括OCSP,CRL和撤销' (参见:https://raymii.org/s/tutorials/OpenSSL_command_line_Root_and_Intermediate_CA_including_OCSP_CRL%20and_revocation.html#Configuring_the_Intermediate_CA_1)并尝试将其与xpersguers git hub页面结合起来,介绍如何构建和测试OCSP响应器(参见:https://github.com/xperseguers/ocsp-responder/blob/master/Documentation/CertificateAuthority.md)
一切似乎都有效,但我遇到了为OCSP服务器证书申请新证书的问题:
openssl req -new -sha256 -key ./private/ocsrv.key -out ./csr/oc-
srv.csr -subj '/C=US/ST=CA/L=Turlock/O=BouncingAnvils/OU=Production
/CN=OCSPServer' -config ./openssl.cnf -extensions v3_OCSP
OpenSSL配置(./openssl.cnf)文件如下。
# vim ca.conf
[ca]
default_ca = default_ca
[crl_ext]
issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
[default_ca]
dir = ./
new_certs_dir = $dir/newcerts
unique_subject = no
certificate = $dir/certs/ocsp-rootca.crt
database = $dir/certindex
private_key = $dir/private/ocsp-rootca.key
serial = $dir/certserial
default_days = 3650
default_md = sha1
policy = ca_policy
x509_extensions = ca_extensions
crlnumber = $dir/crlnumber
default_crl_days = 730
[ca_policy]
commonName = supplied
stateOrProvinceName = supplied
countryName = optional
emailAddress = optional
organizationName = supplied
organizationalUnitName = optional
[ca_extensions]
basicConstraints = critical,CA:TRUE
keyUsage = critical,any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
extendedKeyUsage = serverAuth
crlDistributionPoints = @crl_section
subjectAltName = @alt_names
authorityInfoAccess = @ocsp_section
[v3_ca]
basicConstraints = critical,CA:TRUE,pathlen:0
keyUsage = critical,any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
extendedKeyUsage = serverAuth
crlDistributionPoints = @crl_section
subjectAltName = @alt_names
authorityInfoAccess = @ocsp_section
[v3_OCSP]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = OCSPSigning
[alt_names]
DNS.0 = OCVPN Intermidiate CA 1
DNS.1 = OCVPN CA Intermidiate 1
[crl_section]
URI.0 = http://xxxxxx/ocvproot.crl
URI.2 = http://xxxxx/ocvproot.crl
[ocsp_section]
caIssuers;URI.0 = http://xxxxx/ocsp-root-ca.crt
caIssuers;URI.1 = http://xxxxxx/ocsp-root-ca.crt
OCSP;URI.0 = http://xxxxxx:59388
OCSP;URI.1 = http://xxxxxx:59388
错误是:
$> openssl req -new -sha256 -key ./private/ocsrv.key -out ./csr/oc
srv.csr -subj '/C=US/ST=CA/L=Turlock/O=BouncingAnvils/OU=Production
/CN=OCSPServer' -extensions v3_OCSP
Error Loading extension section v3_OCSP
$>
如果我包含-config选项,我会得到一些我期望的东西,因为我没有' req_distinguised_name'部分。
$> openssl req -new -sha256 -key ./private/ocsrv.key -out ./csr/ocsrv.csr -subj '/C=US/ST=CA/L=Turlock/O=BouncingAnvils/OU=Production
/CN=OCSPServer' -extensions v3_OCSP-config ./openssl.cnf
unable to find 'distinguished_name' in config
problems making Certificate Request
$>140084133627552:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:335:group=req name=distinguished_name
任何帮助都会很棒。
答案 0 :(得分:0)
我遇到了同样的问题。我发现openssl for windows期望小写标签(部分)名称类似于[ca],[crl_section]。我用[v3_ocsp]替换[v3_OCSP]并且它有效。