LibreSSL on OpenBSD: Error due to missing v3_ca in extension

nabbisen - Jul 8 '20 - - Dev Community

To use openssl, one of the utilities of LibreSSL, and create root and intermediate certificates with v3_ca extensions, error might happen in OpenBSD 6.7.

This is because /etc/ssl/openssl.cnf doesn't have [ v3_ca ] section by default.
The solution is to create the backup, if necessary, and append the section.

$ doas cp -p /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.org
$ doas nvim /etc/ssl/openssl.cnf
Enter fullscreen mode Exit fullscreen mode

[ v3_ca ] section:

+ [ v3_ca ]
+ basicConstraints = critical,CA:TRUE
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid:always,issuer:always
Enter fullscreen mode Exit fullscreen mode

Besides, I met this error when trying to build tls connection between PostgreSQL server and client:

like this:

$ # create a root certificate authority
[...]
$ openssl x509 -req -in root.csr -text -days 36500 -extfile /etc/ssl/openssl.cnf -extensions v3_ca -signkey root.key -out root.crt
Error Loading extension section v3_ca
Enter fullscreen mode Exit fullscreen mode
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .