When working with OpenSSL's CA functionality, several users encounter this specific set of errors when trying to sign intermediate certificates. The key pain points are:
error:02001002:system library:fopen:No such file or directory
error:2006D080:BIO routines:BIO_new_file:no such file
error:0E078072:configuration file routines:DEF_LOAD:no such file
error:0E06D06C:configuration file routines:NCONF_get_string:no value
The main confusion stems from OpenSSL looking for additional files beyond what's explicitly configured. Even when you specify:
database = $dir/index.txt
OpenSSL automatically appends .attr and looks for index.txt.attr in the same directory. This behavior isn't well-documented in the man pages.
Here's how to properly set up your CA environment:
# Create required files
touch index.txt
touch index.txt.attr
echo "unique_subject = yes" > index.txt.attr
# Set proper permissions
chmod 644 index.txt
chmod 644 index.txt.attr
The second error regarding email_in_dn indicates a missing configuration value. Add this to your openssl.cnf:
[ CA_default ]
email_in_dn = no # or yes if you want emails in DN
Here's a complete configuration snippet that works:
[ CA_default ]
dir = /path/to/your/ca
database = $dir/index.txt
email_in_dn = no
policy = policy_loose
[ policy_loose ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
After implementing these changes:
- Verify all paths in your config file are absolute
- Ensure the OpenSSL process has read/write permissions
- Check SELinux/AppArmor permissions if on Linux
- Test with a simplified command first
If you prefer not to maintain the attribute file, you can modify the OpenSSL command:
openssl ca -config openssl.cnf \
-extensions v3_intermediate_ca \
-days 3650 -notext -md sha256 \
-keyfile private/ca.key.pem \
-cert certs/ca.cert.pem \
-in intermediate/csr/intermediate.csr.pem \
-out intermediate/certs/intermediate.cert.pem \
-batch \
-preserveDN
The OpenSSL CA subcommand is failing with multiple related errors, but the core issue stems from two configuration mismatches:
error:02001002:system library:fopen:No such file or directory:bss_file.c:175
error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:182
error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:195
error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:324Despite specifying database = $dir/index.txt in your config, OpenSSL is looking for index.txt.attr by default. This behavior is hardcoded in OpenSSL's CA implementation.
There are actually two separate issues occurring:
- The mandatory
index.txt.attrfile is missing - The
email_in_dnparameter isn't defined in your CA_default section
First, create the required directory structure:
mkdir -p /Volumes/Project - Encrypted/Security/root/ca
touch /Volumes/Project - Encrypted/Security/root/ca/index.txt
touch /Volumes/Project - Encrypted/Security/root/ca/index.txt.attr
echo "unique_subject = yes" > /Volumes/Project - Encrypted/Security/root/ca/index.txt.attrThen modify your openssl.cnf to include:
[ CA_default ]
email_in_dn = no
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/certs/ca.cert.pem
private_key = $dir/private/ca.key.pemFor better portability, consider using relative paths in your config:
dir = .
database = $dir/index.txt
certificate = $dir/certs/ca.cert.pem
private_key = $dir/private/ca.key.pemAfter implementing these changes, verify your setup:
openssl ca -config openssl.cnf -verify -show_chain \
-in intermediate/csr/intermediate.csr.pemHere's a bash script to automate the CA setup:
#!/bin/bash
CA_DIR="/Volumes/Project - Encrypted/Security/root/ca"
mkdir -p "$CA_DIR"/{private,certs,newcerts,crl,intermediate}
touch "$CA_DIR"/index.txt
echo "unique_subject = yes" > "$CA_DIR"/index.txt.attr
echo 1000 > "$CA_DIR"/serial- Space characters in pathnames (consider symlinks)
- Incorrect filesystem permissions
- Missing environment variables referenced in config
- CRLF line endings in Windows-generated config files
Remember that OpenSSL's CA implementation has many implicit defaults that may override your configuration settings. Always test with the -verbose flag first.