我搜索了很多,但找不到答案。我在这里发布这个,因为它看起来更像是 OpenSSL 问题而不是 PHP 问题,尽管我可以使用此 CA 配置从命令行创建证书,所以 PHP 对此有些不满。
在 PHP 中调用时openssl_pkey_new()
,出现错误:
Error loading request_extensions_section section v3_req of /path/to/ca.config
。
openssl_pkey_new()
我正在通过配置数组传递 ca.config 文件的路径,然后 PHP 正在打开该文件。
ca.config 文件如下所示:
[ ca ]
default_ca = MyClientCA
[ crl_ext ]
issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
[ MyClientCA ]
dir = /site/path/ssl/ca
new_certs_dir = $dir
unique_subject = no
certificate = $dir/MyClientCA.public
database = $dir/certindex
private_key = $dir/MyClientCA.key
serial = $dir/MyClientCA.srl
default_days = 3650
default_md = sha1
policy = myca_policy
x509_extensions = myca_extensions
crlnumber = $dir/crlnumber
default_crl_days = 730
[ myca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = optional
emailAddress = optional
organizationName = supplied
organizationalUnitName = optional
[ myca_extensions ]
basicConstraints = critical,CA:TRUE
keyUsage = critical,any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
extendedKeyUsage = serverAuth
crlDistributionPoints = @crl_section
subjectAltName = @alt_names
authorityInfoAccess = @ocsp_section
[ v3_ca ]
basicConstraints = critical,CA:TRUE,pathlen:0
keyUsage = critical,any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
extendedKeyUsage = serverAuth
crlDistributionPoints = @crl_section
subjectAltName = @alt_names
authorityInfoAccess = @ocsp_section
[alt_names]
DNS.0 = Sparkling Intermidiate CA 1
DNS.1 = Sparkling CA Intermidiate 1
[crl_section]
URI.0 = http://pki.sparklingca.com/SparklingRoot.crl
URI.1 = http://pki.backup.com/SparklingRoot.crl
[ocsp_section]
caIssuers;URI.0 = http://pki.sparklingca.com/SparklingRoot.crt
caIssuers;URI.1 = http://pki.backup.com/SparklingRoot.crt
OCSP;URI.0 = http://pki.sparklingca.com/ocsp/
OCSP;URI.1 = http://pki.backup.com/ocsp/
不幸的是,这个错误error loading request_extensions_section section v3_req
不是很有用。
request_extensions
文件中没有这个部分。有一个x509_extensions
指向的指令myca_extensions
,但似乎没有任何问题。
也没有v3_req
部分。有一个v3_ca
部分,但我再说一遍,没有发现任何问题。
如何才能获得有关配置文件错误的更多详细信息?
更新
我尝试过很多方法。
我尝试从系统默认的 openssl.conf 复制文件,但这只会将错误更改为:
error:0E06D06C:configuration file routines:NCONF_get_string:no value
网上有很多人询问该错误,但没有人提供任何有用的答复。
我切换到基本配置:
[ ca ]
default_ca = ClientCA
[ ClientCA ]
dir = /path/var/ssl
new_certs_dir = $dir/pk12
unique_subject = no
certificate = $dir/ca/ClientCA.public
database = $dir/ca/certindex
private_key = $dir/ca/ClientCA.key
serial = $dir/ca/ClientCA.srl
default_days = 3650
default_md = sha256
policy = myca_policy
x509_extensions = myca_extensions
[ myca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = optional
emailAddress = optional
organizationName = supplied
organizationalUnitName = optional
[ myca_extensions ]
basicConstraints = CA:FALSE
keyUsage = critical,any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
extendedKeyUsage = serverAuth
crlDistributionPoints = @crl_section
subjectAltName = @alt_names
authorityInfoAccess = @ocsp_section
但同样的错误:
error:0E06D06C:configuration file routines:NCONF_get_string:no value
配置可以很好地从命令行创建证书。