I keep getting a error when i try this.
i generated privkey.pem by using
./openssl genrsa -out privkey.pem 2048
AND cacert.pem by using
./openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
Then I generated a CSR from my webserver (on a different domain/different
box different instalce altogether) named it mev.csr.pem
transfered that file over to the box running openssl.
./openssl x509 -req -in mev.csr.pem -CA cacert.pem -CAkey
rivkey.pem -days 1024 -out mev.cert.pem
Signature ok
subject=/C=US/ST=California/L=San Jose/O=MEV DEMO LAB
SERVER/OU=RandD/CN=www.mev.com
Getting CA Private Key
Enter PEM pass phrase:
cacert.srl: No such file or directory
2279:error:02001002:system library:fopen:No such file or
directory:bss_file.c:245:fopen('cacert.srl','r')
2279:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:247:
looks like it's looking for a file cacert.srl, but I never specified this
filename,
any insight on this
Rohan
----- Original Message -----
From: "Charles B Cranston" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, August 19, 2003 12:21 PM
Subject: Re: Newbie question - Signing CSR's
> Rohan Pinto wrote:
> >I wrote
> >>What you need to do is:
>
> >>1. create a root certificate
> >>2. install that root certificate into all your web browsers
> >>3. create a CSR on the server
> >>4. use the root to sign that CSR into a server certificate
>
> > This is the part that i would need help on. I have created a root
> > certificate, I've imported that into all my web browsers and also on the
> > webserver. I have also crested a cSR from the webserver. I dont know how
to
> > sign the CSR .... If I could get some advise on jow to sign a CSR i
would at
> > leats get an understanding of the flow. From what i have understood so
> > far... I used the rootCA private key while signing the CSR. The
webservers
> > public key is sittign somewhere on the webserver. i would need to use
that
> > key to sign the CSR. The question is. how do i get that key?. Also.... I
am
> > confused as i believed that the webservers key would be embedded in the
CSR.
>
> You are doing fine until you get to "signing the CSR with the
> webserver's public key which is sitting somewhere on the webserver."
>
> Important theoretical points
>
> 1. The CSR "IS" the webserver's public key, plus some ID info
>
> 2. The CSR is made INTO the Certificate by signing with the
> root's private key (not any server key nor any public key)
>
> 3. The webserver's PRIVATE key is the one sitting somewhere on
> the webserver
>
> 4. The Certificate IS the webserver's public key (as obtained
> from the CSR) and is SIGNED using the root's private key.
> Why? So the root's public key, which EVERYBODY has access to,
> can be used to VERIFY that the certificate has not been forged.
>
> So, take the CSR from the webserver machine to the machine where
> you are running OpenSSL. Sign the CSR into a certificate using
> the private key from the root certificate. This can be done with
> either the "ca" tool (or something like CA.PL which calls it) or
> with the "x509" tool. Take the certificate back and install it
> into the webserver. The way to do this varies from webserver to
> webserver but go to
>
> http://www.ssl.com/support/installation.jsp
>
> and look at the menu over on the right hand side. Find your
> webserver software and see if they have good installation
> documentation. This is a VERY well done web site.
>
> >>5. install the server certificate on the server
>
> > Wish i could get some pointers on the the steps to sign a CSR thats
> > generated from a webserver (which resides on abcd.com domain) using
> > openssl that resides on (xyz.com)
>
> on xyz.com:
>
> ftp abcd.com
> get server.csr.pem
> quit
> openssl x509 -req -in server.csr.pem \
> -CA root.cert.pem -CAkey root.key.pem <more options> \
> -out server.cert.pem
> ftp abcd.com
> put server.cert.pem
>
> Under <more options> there is -CAserial to set a serial number,
> maybe -sha1 to use SHA instead of MD5 as a hash, -days to set the
> certificate lifetime, etc. Some of these things can be set in the
> OpenSSL configuration file. I'd look at "man x509".
>
> Alternatively, signing can be done with the "ca" tool, but I'm
> not so familiar with it. It requires an infrastructure of a data
> file and a serial number file and directories of various things etc
> and since I based our database on Oracle it seemed too high-level and
> high-maintenance to use. Unfortunately it seems I need to use it
> for my personal identity and privacy PKIs since "x509" doesn't seem
> to know how to process a SPKIX file.
>
> Sorry about my somewhat fuzzy (and in some places WRONG) answer
> before. I should REALLY learn not to type anything in before noon.
>
> --
> Charles B (Ben) Cranston
> mailto: [EMAIL PROTECTED]
> http://www.wam.umd.edu/~zben
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
