I am unable to generate a CRL. I am probably missing something in the configuration file. The error I get is "openssl error while loading crl number." Crl config section:
[ CA_default ]
# Directory and file locations.
dir = box/ca
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
# For certificate revocation lists.
crlnumber = $dir/crlnumber
crl = $dir/crl/RcCA.crl
crl_extensions = crl_ext
default_crl_days = 30
The command I use:
openssl ca -config full-path-to-openssl.cnf -gencrl -out full-path-to-RcCA.crl
Where rcCA is the crl file.
File structure:
root CA
certs
crl
csr
intermediate
newcerts
pfx
private
serial
openssl.cnf
index.txt
crlnumber
Bottom three are files, above are folders.
The answers I've found are pointing to the lack of index file. But it exists on my machine. I don't know if I put it in the right place.
Edit:
@StacksOfZtuff helped. But now I am getting different errors. I don't know if this is considered resolved or I am just masking the previous error.
22048:error:2207707B:X509 V3 routines:V2I_AUTHORITY_KEYID:unable to get issuer keyid:.\crypto\x509v3\v3_akey.c:165:
22048:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:.\crypto\x509v3\v3_conf.c:95:name=authorityKeyIdentifier, value=keyid:always
Edit to second comment:
I would like to emphasize, my CA is working properly, except for the CRL issue. I am able to generate key,csr, cer and pkcs12. I seem to be able to add entries to the CRL, but when I try to call the gencrl command, I get errors. I am not even sure if it matters
See also
Follow-up post: https://serverfault.com/questions/829608/openssl-generate-crl-yields-the-error-unable-to-get-issuer-keyiid
