I am unable to generate a CRL. I am probably missing something in the configuration file. The error I get is "openssl error while loading crl number." Crl config section:
[ CA_default ]
# Directory and file locations.
dir = box/ca
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
# For certificate revocation lists.
crlnumber = $dir/crlnumber
crl = $dir/crl/RcCA.crl
crl_extensions = crl_ext
default_crl_days = 30
The command I use:
openssl ca -config full-path-to-openssl.cnf -gencrl -out full-path-to-RcCA.crl
Where rcCA is the crl file.
File structure:
root CA
- certs
- crl
- csr
- intermediate
- newcerts
- pfx
private
serial
- openssl.cnf
- index.txt
- crlnumber
Bottom three are files, above are folders.
The answers I've found are pointing to the lack of index file. But it exists on my machine. I don't know if I put it in the right place.
Edit:
@StacksOfZtuff helped. But now I am getting different errors. I don't know if this is considered resolved or I am just masking the previous error.
22048:error:2207707B:X509 V3 routines:V2I_AUTHORITY_KEYID:unable to get issuer keyid:.\crypto\x509v3\v3_akey.c:165:
22048:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:.\crypto\x509v3\v3_conf.c:95:name=authorityKeyIdentifier, value=keyid:always
Edit to second comment:
I would like to emphasize, my CA is working properly, except for the CRL issue. I am able to generate key,csr, cer and pkcs12. I seem to be able to add entries to the CRL, but when I try to call the gencrl command, I get errors. I am not even sure if it matters
See also
Follow-up post: Openssl generate CRL yields the error: unable to get issuer keyiid
Initialize crlnumber file first
Try this: