LibreSSL on OpenBSD: Error Loading extension section v3_ca

nabbisen profile image Heddi Nabbisen ・1 min read

To use openssl, one of the utilities of LibreSSL, and create root and intermediate certificates with v3_ca extensions, error might happen in OpenBSD 6.7.

This is because /etc/ssl/openssl.cnf doesn't have [ v3_ca ] section by default.
The solution is to create the backup, if necessary, and append the section.

$ doas cp -p /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.org
$ doas nvim /etc/ssl/openssl.cnf

[ v3_ca ] section:

+ [ v3_ca ]
+ basicConstraints = critical,CA:TRUE
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid:always,issuer:always

Besides, I met this error when trying to build tls connection between PostgreSQL server and client:

$ # create a root certificate authority
$ openssl x509 -req -in root.csr -text -days 36500 -extfile /etc/ssl/openssl.cnf -extensions v3_ca -signkey root.key -out root.crt
Error Loading extension section v3_ca

Posted on by:

nabbisen profile

Heddi Nabbisen


An ICT designer/developer and a security monk. "With a cool brain and a warm heart", I am challenging unsolved problems in our society. I use OpenBSD/Rust/etc.


markdown guide