5

I am unable to generate a CRL. I am probably missing something in the configuration file. The error I get is "openssl error while loading crl number." Crl config section:

 [ CA_default ]
# Directory and file locations.
dir               = box/ca
certs             = $dir/certs
crl_dir           = $dir/crl
new_certs_dir     = $dir/newcerts
database          = $dir/index.txt
serial            = $dir/serial
RANDFILE          = $dir/private/.rand
# For certificate revocation lists.
crlnumber         = $dir/crlnumber
crl               = $dir/crl/RcCA.crl
crl_extensions    = crl_ext
default_crl_days  = 30

The command I use:

openssl ca -config full-path-to-openssl.cnf  -gencrl -out full-path-to-RcCA.crl

Where rcCA is the crl file. File structure:
root CA

  • certs
  • crl
  • csr
  • intermediate
  • newcerts
  • pfx
  • private

  • serial

  • openssl.cnf
  • index.txt
  • crlnumber

Bottom three are files, above are folders.
The answers I've found are pointing to the lack of index file. But it exists on my machine. I don't know if I put it in the right place.

Edit:

@StacksOfZtuff helped. But now I am getting different errors. I don't know if this is considered resolved or I am just masking the previous error.

22048:error:2207707B:X509 V3 routines:V2I_AUTHORITY_KEYID:unable to get issuer keyid:.\crypto\x509v3\v3_akey.c:165:

22048:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:.\crypto\x509v3\v3_conf.c:95:name=authorityKeyIdentifier, value=keyid:always

Edit to second comment:

I would like to emphasize, my CA is working properly, except for the CRL issue. I am able to generate key,csr, cer and pkcs12. I seem to be able to add entries to the CRL, but when I try to call the gencrl command, I get errors. I am not even sure if it matters

See also

Follow-up post: Openssl generate CRL yields the error: unable to get issuer keyiid

StackzOfZtuff
  • 1,754
  • 12
  • 21
Moutabreath
  • 53
  • 1
  • 1
  • 7

1 Answers1

7

Initialize crlnumber file first

Try this:

echo 1000 > crlnumber
StackzOfZtuff
  • 1,754
  • 12
  • 21
  • Thank you. Now it generates a different error. So i don't know if I should consider it resolved..: – Moutabreath Jan 03 '17 at 11:58
  • @Moutabreath: Here's a bare-bones proof of concept shell script, that will generate a CA that can issue CRLs. (Not much else will work, though.) [`Make-new-OpenSSL-PoC-CA.sh`](http://pastebin.com/SHX0EDWR) Deployment info [here](http://pastebin.com/3pRyY3Ft). – StackzOfZtuff Jan 03 '17 at 12:44
  • I tried putting the values 0 and 1 in crlnumber, but they are not deemed valid values (the error is the same). I wonder why. – Matteo Steccolini Oct 03 '18 at 14:59
  • 1
    @MatteoSteccolini: It's more about the number format than the absolute value. For 0 and 1, there has to be a leading 0, so "00" or "01" do work. – F30 Jul 25 '19 at 14:48