OpenSSL error while loading CRLnumber
Initialize crlnumber file first
Try this:
echo 1000 > crlnumber
Related videos on Youtube
![Moutabreath](https://i.stack.imgur.com/YjZ3e.jpg?s=256&g=1)
Moutabreath
I develop using dotnet core and Angular2 with focus on my organization's infrastructure. I like to test out new technologies and see the stuff I do actually being up and online and put to good use. While at home, if I have some time I'd rather move my behinds somewhere that does not involve putting it against a surface. But sometimes I code at home, making it inevitable.
Updated on September 18, 2022Comments
-
Moutabreath almost 2 years
I am unable to generate a CRL. I am probably missing something in the configuration file. The error I get is "openssl error while loading crl number." Crl config section:
[ CA_default ] # Directory and file locations. dir = box/ca certs = $dir/certs crl_dir = $dir/crl new_certs_dir = $dir/newcerts database = $dir/index.txt serial = $dir/serial RANDFILE = $dir/private/.rand # For certificate revocation lists. crlnumber = $dir/crlnumber crl = $dir/crl/RcCA.crl crl_extensions = crl_ext default_crl_days = 30
The command I use:
openssl ca -config full-path-to-openssl.cnf -gencrl -out full-path-to-RcCA.crl
Where rcCA is the crl file. File structure:
root CA- certs
- crl
- csr
- intermediate
- newcerts
- pfx
private
serial
- openssl.cnf
- index.txt
- crlnumber
Bottom three are files, above are folders.
The answers I've found are pointing to the lack of index file. But it exists on my machine. I don't know if I put it in the right place.Edit:
@StacksOfZtuff helped. But now I am getting different errors. I don't know if this is considered resolved or I am just masking the previous error.
22048:error:2207707B:X509 V3 routines:V2I_AUTHORITY_KEYID:unable to get issuer keyid:.\crypto\x509v3\v3_akey.c:165:
22048:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:.\crypto\x509v3\v3_conf.c:95:name=authorityKeyIdentifier, value=keyid:always
Edit to second comment:
I would like to emphasize, my CA is working properly, except for the CRL issue. I am able to generate key,csr, cer and pkcs12. I seem to be able to add entries to the CRL, but when I try to call the
gencrl
command, I get errors. I am not even sure if it mattersSee also
Follow-up post: Openssl generate CRL yields the error: unable to get issuer keyiid
-
Moutabreath over 7 yearsThank you. Now it generates a different error. So i don't know if I should consider it resolved..:
-
StackzOfZtuff over 7 years@Moutabreath: Here's a bare-bones proof of concept shell script, that will generate a CA that can issue CRLs. (Not much else will work, though.)
Make-new-OpenSSL-PoC-CA.sh
Deployment info here. -
Matteo Steccolini over 5 yearsI tried putting the values 0 and 1 in crlnumber, but they are not deemed valid values (the error is the same). I wonder why.
-
Naitsirk almost 5 years@MatteoSteccolini: It's more about the number format than the absolute value. For 0 and 1, there has to be a leading 0, so "00" or "01" do work.