issues with the openssl command-line tool
Michael P. Soulier
When I try to sign CSRs for my CA to create client certificates the
openssl command-line tool returns 0, regardless of whether it succeeded
or failed. Should it not be returning a non-zero value if it failed to
sign the CSR for some reason?
This is crucial when wrappering the openssl tool for automation
purposes, like a CGI for a web-interface to managing one's CSR queue.
Thanks,
Mike
--
Michael P. Soulier <michael...@mitel.com>, 613-592-2122 x2522
"Any intelligent fool can make things bigger and more complex... It
takes a touch of genius - and a lot of courage to move in the opposite
direction." --Albert Einstein
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Marek Marcola
> When I try to sign CSRs for my CA to create client certificates the
> openssl command-line tool returns 0, regardless of whether it succeeded
> or failed. Should it not be returning a non-zero value if it failed to
> sign the CSR for some reason?
>
> This is crucial when wrappering the openssl tool for automation
> purposes, like a CGI for a web-interface to managing one's CSR queue.
I think that this returns proper return code, for example
(some prepared errors):
$ openssl ca -config openssl.cnf -in certs/vpn-server-crt-req.pem
Using configuration from openssl.cnf
Enter pass phrase for /usr/local/etc/ca/private/cakey.pem:
unable to load CA private key
16824:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad
decrypt:evp_enc.c:461:
16824:error:0906A065:PEM routines:PEM_do_header:bad
decrypt:pem_lib.c:425:
$ echo $?
1
$ openssl ca -config openssl.cnf -in certs/vpn-server-crt-req.pem
Using configuration from openssl.cnf
Enter pass phrase for /usr/local/etc/ca/private/cakey.pem:
Check that the request matches the signature
Signature ok
ERROR:Serial number 1032 has already been issued,
check the database/serial_file for corruption
The matching entry has the following details
Type :Valid
Expires on :070717222900Z
Serial Number :1032
File name :unknown
$ echo $?
1
Best regards,
--
Marek Marcola <Marek....@malkom.pl>
Marek Marcola
> > I think that this returns proper return code, for example
> > (some prepared errors):
>
> failed to sign a csr due to a preexisting CN already issued in a cert. I
> found just a size-zero file created.
Maybe good and acceptable solution to this problem will be
just always checking newly created certificate,
for example with command:
$ openssl verify -CAfile cacert.pem new_cert.pem
This should give you information on generated certificate status
independently from "openssl" return code, no space on disk error,
permission problems or other openssl/system errors.
Michael P. Soulier
> Maybe good and acceptable solution to this problem will be
> just always checking newly created certificate,
> for example with command:
> $ openssl verify -CAfile cacert.pem new_cert.pem
> This should give you information on generated certificate status
> independently from "openssl" return code, no space on disk error,
> permission problems or other openssl/system errors.
>
> Best regards,
Hmm.
[root@vmware-msoulier2 ca]# openssl verify -CAfile cacert.pem certs/06.pem
certs/06.pem: /CN=ServiceLink Account ID:
45415305/emailAddress=ad...@vmware-msoulier2.nssg.mitel.com/O=XYZ
Corporation
error 2 at 1 depth lookup:unable to get issuer certificate
Mike
--
Michael P. Soulier <michael...@mitel.com>, 613-592-2122 x2522
"Any intelligent fool can make things bigger and more complex... It
takes a touch of genius - and a lot of courage to move in the opposite
direction." --Albert Einstein
Girish Venkatachalam
till the root CA for verification in the web of
trust model.=20
You navigate up and up with the issuername matching
the subject name until both are same.=20
HTH
--- "Michael P. Soulier" <michael...@mitel.com>
wrote:
> Marek Marcola wrote:
> > Maybe good and acceptable solution to this problem
> will be
> > just always checking newly created certificate,=20
> > for example with command:
> > $ openssl verify -CAfile cacert.pem new_cert.pem
> > This should give you information on generated
> certificate status
> > independently from "openssl" return code, no space
> on disk error,
> > permission problems or other openssl/system
> errors.=20
> >=20
> > Best regards,
>=20
> Hmm.
>=20
> [root@vmware-msoulier2 ca]# openssl verify -CAfile
> cacert.pem certs/06.pem
> certs/06.pem: /CN=3DServiceLink Account ID:
>
45415305/emailAddress=3Da...@vmware-msoulier2.nssg.mitel.com/O=3DXYZ
> Corporation
> error 2 at 1 depth lookup:unable to get issuer
> certificate
>=20
> Mike
> --=20
> Michael P. Soulier <michael...@mitel.com>,
> 613-592-2122 x2522
> "Any intelligent fool can make things bigger and
> more complex... It
> takes a touch of genius - and a lot of courage to
> move in the opposite
> direction." --Albert Einstein
>
______________________________________________________________________
> OpenSSL Project =20
> http://www.openssl.org
> User Support Mailing List =20
> openss...@openssl.org
> Automated List Manager =20
> majo...@openssl.org
>=20
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around=20
http://mail.yahoo.com=20
Marek Marcola
> Don't know the specifics but you do need all certs
> till the root CA for verification in the web of
> trust model.
or in other words - all needed.
Just add to this file all CA certificates from your
verify path.
Best regards,
--
Marek Marcola <Marek....@malkom.pl>
______________________________________________________________________