To use openssl
, one of the utilities of LibreSSL, and create root and intermediate certificates with v3_ca extensions, error might happen in OpenBSD 6.7.
This is because /etc/ssl/openssl.cnf
doesn’t have [ v3_ca ]
section by default.
The solution is to create the backup, if necessary, and append the section.
$ doas cp -p /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.org
$ doas nvim /etc/ssl/openssl.cnf
[ v3_ca ]
section:
+ [ v3_ca ]
+ basicConstraints = critical,CA:TRUE
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid:always,issuer:always
Besides, I met the error when trying to build tls connection between PostgreSQL server and client like this:
$ # create a root certificate authority
[...]
$ openssl x509 -req -in root.csr -text -days 36500 -extfile /etc/ssl/openssl.cnf -extensions v3_ca -signkey root.key -out root.crt
Error Loading extension section v3_ca