OpenSSL "ca" Error "lookup failed for ca::policy"

Q

Why I am getting the "variable lookup failed for ca::policy" error when running OpenSSL "ca" command?

✍: FYIcenter.com

A

You are getting the "variable lookup failed for ca::policy" error, because OpenSSL "ca" command can not find the required "policy" option in the configuration file.

For example, if you have the follow configuration file, test.cnf, without "policy" option defined:

# Unnamed section of generic options

# section for the "default_ca" option
[ca]
default_ca    = my_ca_default

# default section for "ca" command options
[my_ca_default]
new_certs_dir = ./my_ca/certs
database      = ./my_ca/certs.db
default_md    = md5

You will get an error, because "policy" is a required option:

C:\Users\fyicenter>\local\OpenSSL-Win32\bin\openssl.exe

OpenSSL> ca -in test.csr -keyfile my_ca.key -cert my_ca.crt -config test.cnf
Using configuration from test.cnf
Enter pass phrase for my_ca.key:fyicenter
variable lookup failed for my_ca_default::policy
5816:error:02001002:system library:fopen:No such file or directory:
   .\crypto\bio\bss_file.c:175:fopen('./my_ca/certs.db.attr','rb')
5816:error:2006D080:BIO routines:BIO_new_file:no such file:.\crypto\bio\bss_file.c:178:
5816:error:0E078072:configuration file routines:DEF_LOAD:no such file:
   .\crypto\conf\conf_def.c:195:
5816:error:0E06D06C:configuration file routines:NCONF_get_string:no value:
   .\crypto\conf\conf_lib.c:324:group=my_ca_default name=email_in_dn
5816:error:0E06D06C:configuration file routines:NCONF_get_string:no value:
   .\crypto\conf\conf_lib.c:324:group=my_ca_default name=policy
error in ca

Fixing this error is easy. Just add the "policy" option in the section pointed by the "default_ca" option in the configuration file:

# Unnamed section of generic options

# section for the "default_ca" option
[ca]
default_ca    = my_ca_default

# default section for "ca" command options
[my_ca_default]
new_certs_dir = ./my_ca/certs
database      = ./my_ca/certs.db
default_md    = md5
policy        = my_ca_policy

Remember to add the [my_ca_policy] section with policy options in the configuration file. Policy options control validation rules.

 

OpenSSL "ca" Error "lookup failed for ca::serial"

OpenSSL "ca" Error "lookup failed for ca::default_md"

OpenSSL "ca" Command

⇑⇑ OpenSSL Tutorials

2016-09-08, 3934👍, 0💬