Develop Reference

OpenSSL Subca and SAN Website Certificate

currently in my work, we have a PKI made with Microsoft Certificate Authority Role.
Root CA: Out of domain and turned off.
Sub CA: Domain connected, provides CRL (using IIS) and sign certificates for domain computers.
My idea is to reproduce the environment with Linux and Openssl. At least my first objective is for the internal webs.
I followed this tutorial https://jamielinux.com/docs/openssl-certificate-authority/ and everything works fine.
I create the Root CA and self-sign it.
I create the Subca, I sign it with the Root and verify that the certification chain is correct -> OK
The problem is when I try to create a website certificate with SAN (Subject Alternative Name) field. This is the way I create the csr and key files.
openssl req -nodes -new -newkey rsa:4096 \
-keyout test3.psc.local.key \
-out test3.psc.local.csr \
-addext "subjectAltName = DNS:test3.psc.local" \
-subj "/C=ES/ST=Barcelona/L=Barcelona/O=GRG-CA/OU=GRG-CA/emailAddress=your#email.dot/CN=test3.psc.local/"
If I check the CSR with OpenSSL command openssl x509 -noout -text -in test3.psc.local.csr the SAN field exist and has the value that I set in generation command (test3.psc.local).
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = ES, ST = Barcelona, L = Barcelona, O = GRG-CA, OU = GRG-CA, emailAddress = your#email.dot, CN = test3.psc.local
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:dc:17:8c:c1:90:26:16:67:4e:16:b3:0c:9b:2b:
3d:ec:8e:94:47:b9:8c:b8:14:ac:be:09:b8:bb:f5:
d8:f2:79:26:a6:9d:2f:73:5b:48:64:cb:3a:c2:f6:
bd:6d:7f:fd:7e:f2:... bla bla bla
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
DNS:test3.psc.local
Signature Algorithm: sha256WithRSAEncryption
b5:f0:7f:ba:ab:dc:f6:ee:37:c5:fa:14:27:6b:09:a8:b8:08:
0b:4f:ed:2a:44:72:cd:8d:50:47:79:7d:69:e3:73:cc:14:89:
b6:69:ff:61:bb:79:0a:41:12:32:c7:d1:6f:1d:a4:e4:cb:ef:
16:56:35:fd:44:0a:0c:70:fc:45:1f:7d:c2:d7:4c:ca:bd:66:
6d:e6:41:74:56:2c:... bla bla bla
When I try to sign the certificate with OpenSSL Subca I execute with this command.
openssl ca -config intermediate/sub-ca-openssl.cnf \
-extensions server_cert \
-days 375 -notext -md sha512 \
-in /root/ca/test3.psc.local.csr \
-out /root/ca/test3.psc.local.crt
But the SAN field isn't present, so Firefox, Chrome and others dont trust in certificate. Only IE11 trust.
Using configuration from intermediate/sub-ca-openssl.cnf
Enter pass phrase for /root/ca/intermediate/private/intermediate.key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4099 (0x1003)
Validity
Not Before: Oct 12 20:58:53 2022 GMT
Not After : Oct 22 20:58:53 2023 GMT
Subject:
countryName = ES
stateOrProvinceName = Barcelona
localityName = Barcelona
organizationName = GRG-CA
organizationalUnitName = GRG-CA
commonName = test3.psc.local
emailAddress = your#email.dot
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Server Certificate
X509v3 Subject Key Identifier:
BC:11:0C:2E:08:FA:7D:91:16:1E:AC:0E:12:DA:80:69:64:F7:F1:58
X509v3 Authority Key Identifier:
keyid:7D:B8:7B:9E:59:4F:70:7B:F8:2C:1F:2B:0C:A2:E9:90:3C:D1:7A:71
DirName:/C=ES/ST=Barcelona/L=Barcelona/O=GRG-CA/OU=GRG-CA/CN=GRG Root CA
serial:10:00
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://pki.dominio.com/intermediate.crl
Certificate is to be certified until Oct 22 20:58:53 2023 GMT (375 days)
Sign the certificate? [y/n]:
Content of SUB CA config:
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /root/ca/intermediate
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/subordinate-ca-database.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
private_key = $dir/private/intermediate.key.pem
certificate = $dir/certs/intermediate.cert.pem
crlnumber = $dir/crlnumber
crl = $dir/crl/intermediate.crl.pem
crl_extensions = crl_ext
default_crl_days = 365
default_md = sha512
name_opt = ca_default
cert_opt = ca_default
default_days = 5840
preserve = no
policy = subca_policy
[ subca_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
string_mask = utf8only
default_md = sha512
x509_extensions = v3_ca
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
# Optionally, specify some defaults.
countryName_default = ES
stateOrProvinceName_default = Barcelona
localityName_default = Barcelona
0.organizationName_default = GRG-CA
organizationalUnitName_default = GRG-CA
#emailAddress_default =
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical,CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
crlDistributionPoints = URI:http://pki.dominio.com/intermediate.crl
[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always
[ crl_info ]
URI.0 = http://pki.dominio.com/sub-ca.crl
URI.1 = https://www.dominio.com/pki/sub-ca.crl
I've read that I need a SAN.conf with alternate names in SUBCA server for sign... and change all Alternate Names for every CSR (website) that I want to sign... but in Microsoft Subca I dont need to tell that fields when I sign the CSR (only on generation, same command as I write before).
There is a way to do that?

From the man page for OpenSSL's CA command:
copy_extensions
determines how extensions in certificate requests should be handled.
If set to none or this option is not present then extensions are
ignored and not copied to the certificate. If set to copy then any
extensions present in the request that are not already present are
copied to the certificate. If set to copyall then all extensions in
the request are copied to the certificate: if the extension is already
present in the certificate it is deleted first. See the WARNINGS
section before using this option.
The main use of this option is to allow a certificate request to
supply values for certain extensions such as subjectAltName.
Also, you should understand that using OpenSSL as a CA isn't the best idea. There is no logging, no multi-person control etc. - basically no security. Read the WARNINGS section of the same man page.

openssl req utf8 strings

as others i'm struggling with utf8 in requests. sure i went through all preciding questions and answers. well here is my workout.
configuration:
[ req ]
default_bits = 2048
default_md = sha256
string_mask = utf8only
utf8 = yes
distinguished_name = DistName
attributes = Attr
[ DistName ]
commonName = Name (your official name)
commonName_default = hans nägli dödüé
stateOrProvinceName = State or Province Name (full name)
countryName = Country Code (2 letter code)
countryName_default = CH
[ Attr ]
subjectAltName = Name (international / latin)
subjectAltName_default = hans nägeli dädü
postalCode = zip code
localityName = Locality Name (eg, city)
emailAddress = Email Address
i verified this config file is utf8 and started thereafter using default values:
openssl req -verbose -config CsrPerson.cfg -new -key HansMuster-ecpem.key -passin pass:gugus -out HansMuster-pem.csr
i then had a look into the request using
openssl req -utf8 -noout -text -in HansMuster-pem.csr
showing
Certificate Request:
Data:
Version: 1 (0x0)
Subject: CN = hans n\C3\A4gli d\C3\B6d\C3\BC\C3\A9, ST = z\C3\BCrich, C = CH
Subject Public Key Info:
...snip...
NIST CURVE: P-384
Attributes:
postalCode :2222
localityName :Dörrhausen
X509v3 Subject Alternative Name:hans nägeli dädü
emailAddress :hans.naegeli#gmx.net
...snip...
using same source, same configuration, same procedure: subject/distinguished name has not been treated as utf8 but worked out well with attributes even with locality name which was entred by keyboard.
ASN1 definition of subject show a possible content as utf8 string. openssl version OpenSSL 1.1.0g 2 Nov 2017.
where have i been mistaken?
have fun

You can try the following:
openssl req -nameopt utf8 -noout -text -in HansMuster-pem.csr
This should only fix the display problem, you have to check if your other requirements are still met.
You can find more details about the "-nameopt" options here in the "NAME OPTIONS" section: https://www.openssl.org/docs/man1.0.2/man1/x509.html
Other related links:
How to create CSR with utf8 subject in openssl?

How to generate csr and crt files using openssl in ruby

So i'm using AWS Iot and have a server running ruby on rails in the backend. i need to generate some certs for the client and the example on the AWS website only provides a way to do it using the openssl command line. If possible i would like to use the open ssl library in ruby to do this to avoid making ruby run commands in the terminal which may cause issues.
These are the commands i want to replicate using ruby
openssl genrsa -out deviceCert.key 2048
openssl req -new -key deviceCert.key -out deviceCert.csr
openssl x509 -req -in deviceCert.csr -CA sampleCACertificate.pem -CAkey sampleCACertificate.key -CAcreateserial -out deviceCert.crt -days 99999 -sha256
The first line i found and think i can do
require 'openssl'
rsa_key = OpenSSL::PKey::RSA.new(2048)
but i'm stuck on the last 2 lines. Any ideas?

Here is an example to generate a self signed certificate.
require 'rubygems'
require 'openssl'
key = OpenSSL::PKey::RSA.new(1024)
public_key = key.public_key
subject = "/C=BE/O=Test/OU=Test/CN=Test"
cert = OpenSSL::X509::Certificate.new
cert.subject = cert.issuer = OpenSSL::X509::Name.parse(subject)
cert.not_before = Time.now
cert.not_after = Time.now + 365 * 24 * 60 * 60
cert.public_key = public_key
cert.serial = 0x0
cert.version = 2
ef = OpenSSL::X509::ExtensionFactory.new
ef.subject_certificate = cert
ef.issuer_certificate = cert
cert.extensions = [
ef.create_extension("basicConstraints","CA:TRUE", true),
ef.create_extension("subjectKeyIdentifier", "hash"),
# ef.create_extension("keyUsage", "cRLSign,keyCertSign", true),
]
cert.add_extension ef.create_extension("authorityKeyIdentifier",
"keyid:always,issuer:always")
cert.sign key, OpenSSL::Digest::SHA1.new
puts cert.to_pem
Source for Example

was able to eventually figure it out using this rdoc example
http://ruby-doc.org/stdlib-2.0.0/libdoc/openssl/rdoc/OpenSSL/X509/Certificate.html#method-c-new

Cannot configure OpenSSL on Windows properly

I want to use KDSoap, which uses Qt, which uses OpenSSL, to consume a web service, that requires a secure connection, established by using a key stored in a USB HSM (SmartCard + Reader basically, called an Athena IDProtect Key v2.0).
I've installed 64bit OpenSSL from Shining Light Productions. Qt 5.8 can load it (I've checked with QSslSocket).
Problem
The problem is that even though it seems that Qt's network backend should load the OpenSSL config file, it does not. In fact, I think OpenSSL is to blame here and not Qt because of the tests I've done with the provided openssl tool.
First of all, the config is read because any syntax error in the config makes the openssl tool complain about it next time I run it.
Second of all, with a clean config, this works:
C:\Users\brokenthorn>openssl engine dynamic -t -pre SO_PATH:C:\OpenSSL-Win64\bin\capi.dll -pre LOAD -post list_certs
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:C:\OpenSSL-Win64\bin\capi.dll
[Success]: LOAD
Loaded: (capi) CryptoAPI ENGINE
[ available ]
Certificate 0
<No Friendly Name>
Subject: C = RO, L = Mun. Constanta, O = SC MINI-FARM SRL, CN = Valentina Calin, serialNumber = 2006051670CV93, name = Valentina Calin, GN = Valentina, SN = Calin
Issuer: C = RO, O = certSIGN, OU = certSIGN Qualified CA Class 3 G2, CN = certSIGN Qualified CA Class 3 G2
Certificate 1
<No Friendly Name>
Subject: CN = DESKTOP-IF670KN\\brokenthorn
Issuer: CN = DESKTOP-IF670KN\\brokenthorn
[Success]: list_certs
But if I try to load the engine by ID, after having defined it in the config file, I get an error where it says it cannot find the DLL file, except it adds .dll.dll to the specified ID:
OpenSSL> engine -t -pre ID:capi -pre LOAD
(dynamic) Dynamic engine loading support
[Success]: ID:capi
[Failure]: LOAD
4684:error:25078067:DSO support routines:WIN32_LOAD:could not load the shared library:.\crypto\dso\dso_win32.c:179:filename(capi.dll.dll)
4684:error:25070067:DSO support routines:DSO_load:could not load the shared library:.\crypto\dso\dso_lib.c:233:
4684:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:.\crypto\engine\eng_dyn.c:467:
[ unavailable ]
Now, I've tried creating a copy of capi.dll and named it capi.dll.dll and the above command starts working:
OpenSSL> engine -t -pre ID:capi -pre LOAD
(dynamic) Dynamic engine loading support
[Success]: ID:capi
[Success]: LOAD
Loaded: (capi) CryptoAPI ENGINE
[ available ]
My openssl.cfg is standard except the last part, where've I added the engine directives that should make OpenSSL load the CryptoAPI engine by default, which I need if I'm ever going to be able to open a secure socket using the key stored on the HSM. I'll paste the full config here for a full reference, in case something bad sticks out:
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
####################################################################
[ tsa ]
default_tsa = tsa_config1 # the default TSA section
[ tsa_config1 ]
# These are used by the TSA reply generation only.
dir = ./demoCA # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate
# (optional)
certs = $dir/cacert.pem # Certificate chain to include in reply
# (optional)
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = md5, sha1 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?
# (optional, default: no)
tsa_name = yes # Must the TSA name be included in the reply?
# (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no)
#
# Custom configuration for definition of CAPI engine
#
openssl_conf = openssl_init
[openssl_init]
engines = engine_section
[engine_section]
capi = capi_config
[capi_config]
ID = capi
SO_PATH = C:\OpenSSL-Win64\bin\capi.dll
LIST_ADD = 1
LOAD = 1
Now, OpenSSL should load the capi engine by default on library initialisation, which happens in every app that links with this OpenSSL (and does not call special routines that unload or disable loading of the default config file), including the openssl command line tool.
I don't know how yet, but eventually I should also make it the default crypto provider.
Anyways, after adding the above config and also before that, of course, I get this:
OpenSSL> engine -t
(rdrand) Intel RDRAND engine
[ available ]
(dynamic) Dynamic engine loading support
[ unavailable ]
This shouldn't happen. The dynamic engine should have morphed into the capi engine... like the OpenSSL docs say.
Also the CSP for the HSM works. I can list the loaded CSPs like so:
C:\Users\brokenthorn>openssl engine dynamic -t -pre SO_PATH:C:\OpenSSL-Win64\bin\capi.dll -pre LOAD -post list_csps
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:C:\OpenSSL-Win64\bin\capi.dll
[Success]: LOAD
Loaded: (capi) CryptoAPI ENGINE
[ available ]
Available CSPs:
0. Athena ASECard Crypto CSP, type 1
1. Microsoft Base Cryptographic Provider v1.0, type 1
2. Microsoft Base DSS and Diffie-Hellman Cryptographic Provider, type 13
3. Microsoft Base DSS Cryptographic Provider, type 3
4. Microsoft Base Smart Card Crypto Provider, type 1
5. Microsoft DH SChannel Cryptographic Provider, type 18
6. Microsoft Enhanced Cryptographic Provider v1.0, type 1
7. Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider, type 13
8. Microsoft Enhanced RSA and AES Cryptographic Provider, type 24
9. Microsoft RSA SChannel Cryptographic Provider, type 12
10. Microsoft Strong Cryptographic Provider, type 1
11. OpenSC CSP, type 1
[Success]: list_csps
CSP index 0 is my HSM's CSP. I've also sent a few simple commands using the openssl tool, to the HSM, to confirm that it actually works and it does as it should (it's a vendor supplied CSP provider for CAPI).
Any suggestions?

WARNING: can't open config file: ./bin/openssl.cnf

makecert
and press enter then this error occurs.
I tried with solutions provided but that not worked for me.
ex: set OPENSSL_CONF=c:/OpenSSL_Win64/bin/openssl.cnf
<pre>WARNING: can't open config file: ./bin/openssl.cnf
Unable to load config info from ./bin/openssl.cnf
WARNING: can't open config file: ./bin/openssl.cnf
Error opening Private Key privkey.pem
5344:error:02001002:system library:fopen:No such file or directory:.\crypto\bio\
bss_file.c:398:fopen('privkey.pem','rb')
5344:error:20074002:BIO routines:FILE_CTRL:system lib:.\crypto\bio\bss_file.c:40
0:
unable to load Private Key
WARNING: can't open config file: ./bin/openssl.cnf
Loading 'screen' into random state - done
server.csr: No such file or directory
Could Not Find C:\xampp\apache\.rnd
Could Not Find C:\xampp\apache\privkey.pem
Could Not Find C:\xampp\apache\server.csr
The system cannot find the file specified.
The system cannot find the file specified.
-----
Das Zertifikat wurde erstellt.
The certificate was provided.</pre>

Explaining your problem
This error occurs mainly on Windows computers when you are using OpenSSL package or the Windows installer!
The reason is that OpenSSL failed to locate the openssl.cnf file!
Step-by-Step instructions
I will recommend that you do the following (windows only):
Open your command prompt as Administrator (few OpenSSL commands opens in random state), thus when OpenSSL tries to write stuff on your disk it fails.
Try this easy and fast method: Open the Run dialog box with , type cmd and hit
Now before you run any OpenSSL command type the following:
set OPENSSL_CONF=c:\[PATH TO YOUR OPENSSL DIRECTORY]\bin\openssl.cfg
A sample path is: C:\OpenSSL-Win32\bin\openssl.cfg. For Windows (x64-bit) use C:\OpenSSL-Win64\bin\openssl.cfg!
After you did this now you are good to go with your OpenSSL stuff. Try openssl version and the error is gone.
Remember that everytime you open a command prompt you have to run the above command unless you set this as your environment variable.
Solve your problem
Your problem could be:
You set the environment variable into the folder OpenSSL_Win64. It should be maybe in OpenSSL-Win64!
You forgot maybe to run the command prompt as a Administrator!
You set the environment variable to the file openssl.cnf but it must be openssl.cfg!
Helpful sites
Read also:
WARNING: can’t open config file: /usr/local/ssl/openssl.cnf on Windows 7 (another detailed instructions for your problem)
How To Add/Edit Environment Variables in Windows 7 (helpful if you want set the environment variables forever on your Windows!)

Manually creating an openssl.cnf file in the correct location can solve the problem.
Here is a file template (edit as needed):
#
# OpenSSL configuration file.
#
# Establish working directory.
dir = .
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/serial
database = $dir/certindex.txt
new_certs_dir = $dir/certs
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
# Variable name Prompt string
#------------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------ ------------------------------
0.organizationName_default = My Company
localityName_default = My Town
stateOrProvinceName_default = State or Providence
countryName_default = US
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash

When install the application penSSL_Win64, will be located in C:\Program Files\OpenSSL-Win64 so , you need to set to this path with a console command and write:
set OPENSSL_CONF=C:\Program Files\OpenSSL-Win64\bin\openssl.cfg