Ubuntu
openssl package

CA.pl does not use CA_default dir in openssl.cnf correctly

Bug #1422011 reported by Jan Heitkötter
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

I changed the CA directory to a different path in openssl.cnf:

[ CA_default ]

dir = ./something_different

CA.pl -newca will not work succeed.

jan@x61s:~$ /usr/lib/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 2048 bit RSA private key
...................+++
............................................+++
writing new private key to './demoCA/private/cakey.pem'

The key gets written to ./demoCA instead of ./something_different. CA.pl ignores setting in openssl.cnf until it changes its mind later in the process:

[...]
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
I am unable to access the ./something_different/newcerts directory
./something_different/newcerts: No such file or directory
jan@x61s:~$

jan@x61s:~$ lsb_release -rd
Description: Ubuntu 14.04.1 LTS
Release: 14.04
jan@x61s:~$ apt-cache policy openssl
openssl:
  Installiert: 1.0.1f-1ubuntu2.8
  Installationskandidat: 1.0.1f-1ubuntu2.8
  Versionstabelle:
 *** 1.0.1f-1ubuntu2.8 0
        500 http://de.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
        100 /var/lib/dpkg/status
     1.0.1f-1ubuntu2 0
        500 http://de.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openssl (Ubuntu):
status: New → Confirmed
Revision history for this message
Ian Gibbs (realflash-uk) wrote :

Here's the workaround I use for this.

 * Set everything apart from dir in openssl.conf
 * Create the CA
 * Rename the folder
 * Set dir to what you named the folder.

All subsequent operations like generating keys, signing certs etc. work fine. It's just the initial CA generation that doesn't.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.