OpenSSL ca fails after password without error message

3

I am trying to use a Root CA to sign a CSR for an Intermediate certificate and OpenSSL asks for my password and then after that nothing happens. No error message and no certificates are made. The command it is failing on is:

openssl ca -config rootca.cnf -extensions v3_intermediate_ca ^
  -days 730 -notext -md sha256 ^
  -in C:/Certificates/IntermediateCA/csr/intermediate.csr.pem ^
  -out C:/Certificates/IntermediateCA/public/intermediate.cert.pem

openssl responds with:

Enter pass phrase for C:/Certificates/RootCA/private/rootca.key.pem:

and when I enter the password, nothing happens after that.

A good answer to this question would have two parts:

  1. What am I doing wrong?
  2. How can I get error output for this issue?

Additional Details

Not sure if this is needed but here are some additional commands I am using to generate the rest of the Intermediate CA:

Creating Intermediate CA private key:

openssl genrsa -aes256 -out private/intermediate.key.pem 4096

Creating Intermediate CSR:

openssl req -config intermediateca.cnf -new -sha256 ^
  -key private/intermediate.key.pem ^
  -out csr/intermediate.csr.pem

rootca.cnf (the important parts):

[ CA_default ]
dir = C:/Certificates/RootCA
...
[ policy_strict ]
countryName             = match
stateOrProvinceName     = match
localityName            = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
...
[ req_distinguished_name ]
0.organizationName_default = org1
1.organizationName_default = org1.1
...
[ v3_intermediate_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

Kyle B

Posted 2018-06-01T16:44:11.790

Reputation: 91

Can you access the directory C:/Certificates/RootCA/private? Can you read the file C:/Certificates/RootCA/private/rootca.key.pem with the user you are running the openssl with? Last idea, is the password correct (aren't there any special characters in the way?) – tukan – 2018-06-10T11:07:19.720

Yes, you can read all the files, I used an OpenSSL check to confirm that the private key was correct (with the password) – Kyle B – 2018-06-11T11:42:30.093

Could you check it with process explorer or procmon (both from Sysinternals) to see if the file rootca.key.pem is accessed/read. Second thing that comes into my mind is the file could have different lines end -> windows(EOL -> crlf) vs. linux (lf). – tukan – 2018-06-12T16:21:12.917

Answers

3

openssl may be thinking your index.txt file is "corrupt". This same behavior happened to me when I was resetting my file with echo '' > index.txt while scripting some things out. Simply removing index.txt file and using touch index.txt to recreate it was enough to make openssl happy again.

Matt

Posted 2018-06-01T16:44:11.790

Reputation: 151

Thank you! I had the same issues as the OP and this fixed it for me. Is there already a bug reported to openssl? – user56452 – 2020-01-12T21:54:28.787

Asked: 2018-06-01T16:44:11.790

Viewed: 441 times

Active: 2019-10-25T08:46:50.007