{{tag>Pb Brouillon TLS}}

= Pb OpenSSL LibreSSL Error Loading extension section v3_ca

Voir aussi :
  * https://knowledge.digicert.com/solution/what-extensions-and-details-are-included-in-a-ssl-certificate

<code bash>
$ openssl genrsa -des3 -out macle.key 2048
#Voir aussi "openssl ecparam -genkey" pour Elliptic Curve key
Generating RSA private key, 2048 bit long modulus
................................................+++
...................................................+++
e is 65537 (0x10001)
Enter pass phrase for macle.key:
Verifying - Enter pass phrase for macle.key:
</code>

<code ->
$ openssl req -new -x509 -days 3650 -key macle.key -sha256 -extensions v3_ca -out macle.crt
Error Loading extension section v3_ca
</code>

Le problème venait de LibreSSL (pourquoi !?)

Solution 1 (rapide) :

Spécifier le chemin pour prendre l'openssl de la distribution GNU/Linux 
<code bash>
/usr/bin/openssl req -new -x509 -days 3650 -key macle.key -sha256 -extensions v3_ca -out macle.crt
</code>

Solution 2 (la bonne) : 
<code bash>
mv /usr/local/etc/ssl{,.old}
ln -s /etc/ssl /usr/local/etc/ssl
</code>

En effet, la conf n'est pas la même 
<code ->
# grep -ri v3_ca /etc/ssl
/etc/ssl/openssl.cnf:x509_extensions	= v3_ca	# The extentions to add to the self signed cert
/etc/ssl/openssl.cnf:[ v3_ca ]
</code>

''openssl.cnf''
<code ini>
[ v3_ca ]

subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true


[ req ]

x509_extensions = v3_ca # The extentions to add to the self signed cert
</code>


## Autres

<code ->
$  openssl x509 -ext basicConstraints,keyUsage -noout -in /usr/share/ca-certificates/mozilla/VeriSign_Universal_Root_Certification_Authority.crt
X509v3 Basic Constraints: critical
    CA:TRUE
X509v3 Key Usage: critical
    Certificate Sign, CRL Sign
</code>