9

When I use openSSL and a config file to sign a intermediate certificate I constantly get the same error. The errors are:

140736005481480:error:02001002:system library:fopen:No such file or directory:bss_file.c:175:fopen('/Volumes/Project - Encrypted/Security/root/ca/index.txt.attr','rb')

140736005481480:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:182:

140736005481480:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:195:

140736005481480:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:324:group=CA_default name=email_in_dn

I understand the first error about the file not being found, but what I dont understand is why the file its looking for isn't the file i define in the config. This is what I put in the config:

database = $dir/index.txt # database index file.

The command I use is sudo openssl ca -config openssl.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -keyfile private/ca.key.pem -cert certs/ca.cert.pem -in intermediate/csr/intermediate.csr.pem -out intermediate/certs/intermediate.cert.pem

Does anyone understand whats causing these error and how to fix them??

Matthew N
  • 203
  • 1
  • 2
  • 4

1 Answers1

9

openssl ca doesn't just use the database index file (which you have correctly set to be index.txt) but als a database attribute file. This is always in the same place as the index file and its name is that of the index suffixed with .attr. This attribute file (which is not really documented, as far as I know) holds only one information: The configuration line 

unique_subject = yes/no

So what do you need to do? Create the file index.txt.attr in the folder where your CA is stored (appearantely /Volumes/Project - Encrypted/Security/root/ca) and add to it the single line I mentioned above.

mat
  • 548
  • 6
  • 20
  • I have haven’t had a chance to test it, but I’m asuming it’s going to work. What does “unique_subject” do? – Matthew N Jul 08 '17 at 14:12
  • `openssl ca` doesn't actually need the `attr` file; it uses a default, and then (re)creates the `attr` file after processing (in `save_index`). But it does leave spurious 'error' info in the error stack, which gets added to the display for any real error that occurs. And similarly for `email_in_dn` whose absence is actually ignored but still pollutes the stack. I don't know what the real error was here but it wasn't either/any of the 'errors' in the Q. – dave_thompson_085 Jul 09 '17 at 07:40
  • @Matt121: unique_subject is explained in the man page for `ca` on your system [also on the web](https://www.openssl.org/docs/man1.1.0/apps/ca.html) – dave_thompson_085 Jul 09 '17 at 07:42