我做了一堆search,但我找不到答案。 我在这里发布这个,因为它看起来更像是一个OpenSSL问题,而不是一个PHP,虽然我可以使用这个CAconfiguration从命令行创build证书,所以有一些PHP不喜欢它。
当在PHP中调用openssl_pkey_new()
时,出现错误:
Error loading request_extensions_section section v3_req of /path/to/ca.config
。
我通过configuration数组传递ca.config文件的path到openssl_pkey_new()
,PHP正在打开文件。
ca.config文件如下所示:
[ ca ] default_ca = MyClientCA [ crl_ext ] issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always [ MyClientCA ] dir = /site/path/ssl/ca new_certs_dir = $dir unique_subject = no certificate = $dir/MyClientCA.public database = $dir/certindex private_key = $dir/MyClientCA.key serial = $dir/MyClientCA.srl default_days = 3650 default_md = sha1 policy = myca_policy x509_extensions = myca_extensions crlnumber = $dir/crlnumber default_crl_days = 730 [ myca_policy ] commonName = supplied stateOrProvinceName = supplied countryName = optional emailAddress = optional organizationName = supplied organizationalUnitName = optional [ myca_extensions ] basicConstraints = critical,CA:TRUE keyUsage = critical,any subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign extendedKeyUsage = serverAuth crlDistributionPoints = @crl_section subjectAltName = @alt_names authorityInfoAccess = @ocsp_section [ v3_ca ] basicConstraints = critical,CA:TRUE,pathlen:0 keyUsage = critical,any subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign extendedKeyUsage = serverAuth crlDistributionPoints = @crl_section subjectAltName = @alt_names authorityInfoAccess = @ocsp_section [alt_names] DNS.0 = Sparkling Intermidiate CA 1 DNS.1 = Sparkling CA Intermidiate 1 [crl_section] URI.0 = http://pki.sparklingca.com/SparklingRoot.crl URI.1 = http://pki.backup.com/SparklingRoot.crl [ocsp_section] caIssuers;URI.0 = http://pki.sparklingca.com/SparklingRoot.crt caIssuers;URI.1 = http://pki.backup.com/SparklingRoot.crt OCSP;URI.0 = http://pki.sparklingca.com/ocsp/ OCSP;URI.1 = http://pki.backup.com/ocsp/
不幸的是, error loading request_extensions_section section v3_req
的错误error loading request_extensions_section section v3_req
并不是非常有用。
我没有在文件中的request_extensions
部分。 有一个指向myca_extensions
的x509_extensions
指令,但是似乎没有任何问题。
没有v3_req
部分。 有一个v3_ca
部分,但我再也看不出有什么问题了。
我怎样才能获得有关configuration文件有什么问题的更多细节?
更新
我试了一堆东西。
我试图从系统的默认openssl.conf中复制文件,但是这只是将错误更改为:
error:0E06D06C:configuration file routines:NCONF_get_string:no value
网上有很多人在问这个错误,但没有任何有用的回复。
我切换到一个基本的configuration:
[ ca ] default_ca = ClientCA [ ClientCA ] dir = /path/var/ssl new_certs_dir = $dir/pk12 unique_subject = no certificate = $dir/ca/ClientCA.public database = $dir/ca/certindex private_key = $dir/ca/ClientCA.key serial = $dir/ca/ClientCA.srl default_days = 3650 default_md = sha256 policy = myca_policy x509_extensions = myca_extensions [ myca_policy ] commonName = supplied stateOrProvinceName = supplied countryName = optional emailAddress = optional organizationName = supplied organizationalUnitName = optional [ myca_extensions ] basicConstraints = CA:FALSE keyUsage = critical,any subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign extendedKeyUsage = serverAuth crlDistributionPoints = @crl_section subjectAltName = @alt_names authorityInfoAccess = @ocsp_section
但同样的错误:
error:0E06D06C:configuration file routines:NCONF_get_string:no value
configuration工作得很好,从命令行创build证书。