On Tue, Feb 17, 2004, Raymond Rooks wrote: > I read the message from Richard Levitte concerning the problem of not > being able to load the certificate. Partially quotiing.:: > > Benjamin.Kohler> unable to load certificate Benjamin.Kohler> > 22158:error:0906D06C:PEM routines:PEM_read_bio:no start Benjamin.Kohler> > line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE > > I am having the same problem. I started by following the instructions > someone posted on: > > www2.goldfisch.at/knowledge/142 > > That person provided a script of "sign.sh", which I used after > generating my own certificates. I used that and had the error as above > of the TRUSTED CERTIFICATE problem. > > I am trying to follow the solution in the email, but it did raise a > question. My files are of the ".crl", ".crt", and ".key" type and not > the ".pem" type. Do I do the command line option of "-cert > mydomain.crt" ? (doesn't seem to work, unless I am specifying something > wrong) I am almost totally ignorant of how to use the OpenSSH tool, > although I very much appreciate the work that you guys have done. (and > would like to be able to contribute back) > > Anyway, my guess from looking through some documentation is that I can > generate several types of files, althought I don't know which are the best. > > I also am a bit lost on the options of "openssl". I think that the > options are readily appareent to someone who works with this tool a lot, > but I have been looking at it for a few hours and I am still lost. >
Firstly what are you trying to do? I'd guess you are trying to create a CA and some certificates signed by it. In that case you should use the CA.pl command which is fully documented with examples. Something like: CA.pl -newca CA.pl -newreq CA.pl -signreq is enough. This calls the 'openssl' tools with the correct arguments. The "Expecting: TRUSTED CERTIFICATE" error message means that a command (you don't say which) is expecting a PEM format certificate file and can't fine the header lines which will normally be: "-----BEGIN CERTIFICATE-----". This is normally because it isn't being fed a certificate or is being fed one in an invalid form. Beware of 'cookbooks'! While the one you indicated looks OK some suggest insecure or broken practices such as giving away your CAs private key or creating certificates with duplicate serial numbers (which will cause major problems later on). The file extension doesn't actually matter to OpenSSL. A .crl file may be a PEM format CRL which could equally well have .pem as its extension. Also look at the FAQ which is clearly marked on the OpenSSL website, this would have referred you to CA.pl in the first instance. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
