LibreSSL: openssl Error due to missing v3_ca in extension

created
( modified )
@nabbisen

To use openssl, one of the utilities of LibreSSL, and create root and intermediate certificates with v3_ca extensions, error might happen in OpenBSD 6.7.

This is because /etc/ssl/openssl.cnf doesn’t have [ v3_ca ] section by default. The solution is to create the backup, if necessary, and append the section.

$ doas cp -p /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.org
$ doas nvim /etc/ssl/openssl.cnf

[ v3_ca ] section:

+ [ v3_ca ]
+ basicConstraints = critical,CA:TRUE
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid:always,issuer:always

Besides, I met the error when trying to build tls connection between PostgreSQL server and client like this:

$ # create a root certificate authority
[...]
$ openssl x509 -req -in root.csr -text -days 36500 -extfile /etc/ssl/openssl.cnf -extensions v3_ca -signkey root.key -out root.crt
Error Loading extension section v3_ca

Comments or feedbacks are welcomed and appreciated.