DH Keys DSA Keys EC Keys Firefox General Google Chrome IE (Internet Explorer) Intermediate CA Java VM JDK Keytool Microsoft CertUtil Mozilla CertUtil OpenSSL Other Portecle Publishers Revoked Certificates Root CA RSA Keys Tools Tutorial What Is Windows

OpenSSL "ca" Error "lookup failed for ca::policy"

Q

Why I am getting the "variable lookup failed for ca::policy" error when running OpenSSL "ca" command?

✍: FYIcenter.com

A

You are getting the "variable lookup failed for ca::policy" error, because OpenSSL "ca" command can not find the required "policy" option in the configuration file.

For example, if you have the follow configuration file, test.cnf, without "policy" option defined: 

# Unnamed section of generic options

# section for the "default_ca" option
[ca]
default_ca    = my_ca_default

# default section for "ca" command options
[my_ca_default]
new_certs_dir = ./my_ca/certs
database      = ./my_ca/certs.db
default_md    = md5

You will get an error, because "policy" is a required option: 

C:\Users\fyicenter>\local\OpenSSL-Win32\bin\openssl.exe

OpenSSL> ca -in test.csr -keyfile my_ca.key -cert my_ca.crt -config test.cnf
Using configuration from test.cnf
Enter pass phrase for my_ca.key:fyicenter
variable lookup failed for my_ca_default::policy
5816:error:02001002:system library:fopen:No such file or directory:
   .\crypto\bio\bss_file.c:175:fopen('./my_ca/certs.db.attr','rb')
5816:error:2006D080:BIO routines:BIO_new_file:no such file:.\crypto\bio\bss_file.c:178:
5816:error:0E078072:configuration file routines:DEF_LOAD:no such file:
   .\crypto\conf\conf_def.c:195:
5816:error:0E06D06C:configuration file routines:NCONF_get_string:no value:
   .\crypto\conf\conf_lib.c:324:group=my_ca_default name=email_in_dn
5816:error:0E06D06C:configuration file routines:NCONF_get_string:no value:
   .\crypto\conf\conf_lib.c:324:group=my_ca_default name=policy
error in ca

Fixing this error is easy. Just add the "policy" option in the section pointed by the "default_ca" option in the configuration file: 

# Unnamed section of generic options

# section for the "default_ca" option
[ca]
default_ca    = my_ca_default

# default section for "ca" command options
[my_ca_default]
new_certs_dir = ./my_ca/certs
database      = ./my_ca/certs.db
default_md    = md5
policy        = my_ca_policy

Remember to add the [my_ca_policy] section with policy options in the configuration file. Policy options control validation rules.

 

OpenSSL "ca" Error "lookup failed for ca::serial"

OpenSSL "ca" Error "lookup failed for ca::default_md"

OpenSSL "ca" Command

⇑⇑ OpenSSL Tutorials

2016-09-08, 5873👍, 0💬

DH Keys DSA Keys EC Keys Firefox General Google Chrome IE (Internet Explorer) Intermediate CA Java VM JDK Keytool Microsoft CertUtil Mozilla CertUtil OpenSSL Other Portecle Publishers Revoked Certificates Root CA RSA Keys Tools Tutorial What Is Windows