Pages

Monday, March 26, 2018

Attempting to generate a new CSR with OpenSSL fails with: “13536:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:crypto\conf\conf_lib.c:272:”

Problem

You’ve downloaded OpenSSL and have began the process of generating a new CSR to submit to a Certificate authority but notice that executing the following command:

req -new -newkey rsa:2048 -nodes -keyout mykey.pem -out myreq.pem

… generates the following error:

C:\OpenSSL-Win64\bin>openssl.exe

OpenSSL> req -new -newkey rsa:2048 -nodes -keyout mykey.pem -out myreq.pem

Can't open C:\Program Files\Common Files\SSL/openssl.cnf for reading, No such file or directory

13536:error:02001003:system library:fopen:No such process:crypto\bio\bss_file.c:74:fopen('C:\Program Files\Common Files\SSL/openssl.cnf','r')

13536:error:2006D080:BIO routines:BIO_new_file:no such file:crypto\bio\bss_file.c:81:

Generating a 2048 bit RSA private key

........+++

............................................+++

writing new private key to 'mykey.pem'

-----

unable to find 'distinguished_name' in config

problems making Certificate Request

13536:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:crypto\conf\conf_lib.c:272:

error in req

OpenSSL>

image

Solution

One of the reasons why the error above would be thrown is if the openssl_confg is not configured properly to the openssl.cfg file.  To do so, execute the following command (change the path as required):

set openssl_conf=c:\OpenSSL-Win64\bin\openssl.cfg

The CSR generation will proceed as expected once the configuration file is specified:

C:\OpenSSL-Win64\bin>openssl.exe

OpenSSL> req -new -newkey rsa:2048 -nodes -keyout mykey.pem -out myreq.pem

Generating a 2048 bit RSA private key

...................................................+++

.....................+++

writing new private key to 'mykey.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:

image

Please refer to one of my older posts if you’re using OpenSSL to generate a certificate for a Cisco Wireless Controller:

Generating SSL certificate with OpenSSL for Cisco Wireless Controller
http://terenceluk.blogspot.com/2015/03/generating-ssl-certificate-with-openssl.html

No comments: