文档
我要评分
获取效率
正确性
完整性
易理解
提交关闭

Certificates Fail to Be Generated After Running openssl req -new -x509

Symptom

After the KAE is installed, a certificate fails to be generated by running the openssl req -new -x509 command, and the message "281461739307968:error:0E06D06C:configuration file routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:273:group=req name=distinguished_name" is displayed.

Key Process and Cause Analysis

When OpenSSL is used to generate a certificate, the system reads the openssl.cnf file in the OpenSSL installation directory. If the KAE is installed and configured to be used through the openssl.cnf file, the error is reported when the OpenSSL certificate generation command is executed.

Conclusion and Solution

Method 1: using KAE by specifying the KAE path instead of using openssl.cnf

  1. Cancel the environment variables of openssl.cnf.
    unset OPENSSL_CONF
  2. Specify the KAE path.
    export OPENSSL_ENGINES="/usr/local/lib/engines-1.1"

Method 2: using openssl.cnf provided with OpenSSL instead of a custom openssl.cnf file created by KAE

  1. Cancel the environment variables of openssl.cnf created by KAE.
    1
    unset OPENSSL_CONF
  2. Add the KAE configuration to the specified position (as shown in Figure 1) in the openssl.cnf file in the OpenSSL installation directory.
    Generally, the openssl.cnf file is stored in the ssl directory in the OpenSSL installation directory. You can also run the find / -name "openssl.cnf" command to search for the openssl.cnf file.
    openssl_conf=openssl_def
[openssl_def]
engines=engine_section
[engine_section]
kae=kae_section
[kae_section]
engine_id=kae
dynamic_path=/usr/local/lib/engines-1.1/kae.so
KAE_CMD_ENABLE_ASYNC=1 #(Optional) The value 0 indicates that the asynchronous function is disabled. The value 1 indicates that the asynchronous function is enabled (enabled by default).
KAE_CMD_ENABLE_SM3=1 #(Optional) The value 0 indicates that the SM3 acceleration mode is disabled. The value 1 indicates that the SM3 acceleration function is enabled (enabled by default).
KAE_CMD_ENABLE_SM4=1 #(Optional) The value 0 indicates that the SM4 acceleration mode is disabled. The value 1 indicates that the SM4 acceleration mode is enabled (enabled by default).
default_algorithms=ALL #All algorithms preferentially search for the engine. If the engine does not support this configuration, switch to OpenSSL for computing.
init=1 #Export
    Figure 1 Position for adding the KAE configuration in the openssl.cnf file of OpenSSL

    Now you can use the certificate generation function properly.

Parent topic: KAE Verification