locked
error openssl with Exchange server 2013? RRS feed

  • Question

  • I am newbie to OPENSSL world.I am trying into install openssl certification on my microsoft exchange server. For this I was following below article step by step. at one place I stuck while createing 'ca' and getting below errors.

    I have created index.txt , serial files and have proper permissions.

    article: http://www.stephen-scotter.net/computers/windows/exchange/using-openssl-to-create-a-certificate-for-exchange-2010

    Using configuration from c:\OpenSSL-Win64\bin\openssl.cfg 

    C:\OpenSSL-Win64>bin\openssl.exe ca -name ServerCA -policy policy_anything -in SIFY_CA\requests\SIFYSERV4-EXCHANGE.csr -o 
    t SIFY_CA\certs\SIFYSERV4-EXCHANGE-WRONGFORMAT.cer -md sha1 
    Loading 'screen' into random state - done 
    Enter pass phrase for \\DALLAS\OpenSSL-Win64\SIFY_CA\private\SIFY_CA.key: 
    Error Loading extension section ca_cert 
    11128:error:02001002:system library:fopen:No such file or directory:.\crypto\bio\bss_file.c:169:fopen('\\DALLAS\OpenSSL-Win64\SIFY_CA\index.txt.attr','rb') 
    11128:error:2006D080:BIO routines:BIO_new_file:no such file:.\crypto\bio\bss_file.c:172: 
    11128:error:0E078072:configuration file routines:DEF_LOAD:no such file:.\crypto\conf\conf_def.c:197: 
    11128:error:2207507C:X509 V3 routines:v2i_GENERAL_NAME_ex:missing value:.\crypto\x509v3\v3_alt.c:537: 
    11128:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:.\crypto\x509v3\v3_conf.c:93:name=subjectAltName, value=D 
    S:sifytech.com,DNS:www.sifytech.com;DNS:*.sifytech.com,mail.SIFY.com,owa.sifytech.com

    openssl.cfg

    HOME     = \\\\DALLAS\\OpenSSL-Win64 
    #RANDFILE = $HOME\\.rnd 
    
    [ca] 
    default_ca = SIFY_CA 
    
    [SIFY_CA] 
    dir              = $HOME\\SIFY_CA 
    certs            = $dir\\certs 
    crl_dir          = $dir\\crl 
    database         = $dir\\index.txt 
    new_certs_dir    = $dir\\newcerts 
    certificate      = $certs\\SIFY_CA.cer 
    serial           = $dir\\serial 
    crl              = $crl_dir\\SIFY_CA.crl 
    private_key      = $dir\\private\\SIFY_CA.key 
    RANDFILE         = $dir\\private\\.rnd 
    unique_subject   = no 
    email_in_dn      = yes 
    policy           = policy_match 
    x509_extensions  = ca_cert 
    default_days     = 18250 
    default_crl_days = 18250 
    default_md       = md5 
    
    
    [ServerCA] 
    dir              = $HOME\\SIFY_CA 
    certs            = $dir\\certs 
    crl_dir          = $dir\\crl 
    database         = $dir\\index.txt 
    new_certs_dir    = $dir\\newcerts 
    certificate      = $certs\\SIFY_CA.cer 
    serial           = $dir\\serial 
    #####crl              = $crl_dir\\ServerCA.crl 
    crl              = $crl_dir\\SIFY_CA.crl 
    private_key      = $dir\\private\\SIFY_CA.key 
    RANDFILE         = $dir\\private\\.rnd 
    unique_subject   = no 
    email_in_dn      = yes 
    policy           = policy_match 
    x509_extensions  = ca_cert 
    default_days     = 18250 
    default_crl_days = 18250 
    default_md       = md5 
    #####copy_extensions  = copy 
    #####copy_extensions  = none 
    
    [policy_match] 
    countryName            = match 
    stateOrProvinceName    = optional 
    organizationName       = optional 
    organizationalUnitName = supplied 
    commonName             = supplied 
    emailAddress           = optional 
    
    [policy_anything] 
    countryName            = optional 
    stateOrProvinceName    = optional 
    localityName           = optional 
    organizationName       = optional 
    organizationalUnitName = optional 
    commonName             = supplied 
    emailAddress           = optional 
    
    [req] 
    default_bits       = 2048 
    default_keyfile    = privkey.pem 
    distinguished_name = req_distinguished_name 
    #attributes        = req_attributes 
    x509_extensions    = v3_ca 
    req_extensions     = v3_req 
    
    [req_distinguished_name] 
    countryName = Country Name (2 letter code) 
    countryName_default = GB 
    countryName_min = 2 
    countryName_max = 2 
    stateOrProvinceName = State or Province Name (full name) 
    stateOrProvinceName_default = West Midlands 
    localityName    = Locality Name (eg, city) 
    localityName_default            = Birmingham 
    0.organizationName  = Organization Name (eg, company) 
    0.organizationName_default  = WHLB (Certificate Authority) 
    organizationalUnitName  = Organizational Unit Name (eg, section) 
    organizationalUnitName_default  = 
    commonName  = Common Name (eg, YOUR name) 
    commonName_default  = WHLB (Certificate Authority) 
    commonName_max  = 64 
    emailAddress    = Email Address 
    emailAddress_max    = 64 
    
    
    [v3_ca] 
    #basicConstraints      = critical, CA:true, pathlen:0 
    basicConstraints      = CA:true 
    #nsCertType            = sslCA 
    #keyUsage              = cRLSign, keyCertSign 
    #extendedKeyUsage      = serverAuth, clientAuth 
    nsComment             = "OpenSSL CA Certificate" 
    crlDistributionPoints = URI:http://dallas.sifytech.com/SIFY_ca/crl/SIFY_CA.crl
    
    [v3_req] 
    basicConstraints      = CA:FALSE 
    keyUsage              = nonRepudiation, digitalSignature, keyEncipherment 
    crlDistributionPoints = URI:http://dallas.sifytech.com/SIFY_ca/crl/SIFY_CA.crl
    
    [ca_cert] 
    basicConstraints       = CA:true 
    nsComment              = "OpenSSL Generated Certificate" 
    subjectKeyIdentifier   = hash 
    authorityKeyIdentifier = keyid, issuer:always 
    extendedKeyUsage       = serverAuth, clientAuth 
    crlDistributionPoints = URI:https://dallas.sifytech.com/SIFY_ca/crl/SIFY_CA.crl
    subjectAltName        = DNS:sifytech.com,DNS:www.sifytech.com;DNS:*.sifytech.com,mail.intensify.com,owa.sifytech.com 

    What could be wrong? Did I miss anything here? Help me out?



    ItsMeSri SP 2013 Foundation

    Sunday, February 8, 2015 3:51 PM

Answers

  • Check whether this issue caused by Firewall. Disable Firewall and create a Exchange request, create a certificate on Public CA.

    • Marked as answer by Niko.Cheng Wednesday, February 25, 2015 2:26 AM
    Thursday, February 12, 2015 8:39 AM