In message <[EMAIL PROTECTED]> on Thu, 4 Nov 2004 14:22:35 -0500, "Ronald I. Nutter"
<[EMAIL PROTECTED]> said:
ronald_nutter> Is anybody getting this or is OpenSSL a dead product ?
ronald_nutter> Is there a listserv somewhere that may be able to help
ronald_nutter> me ?
OpenSSL is a live product. However, you need to understand that the
organisation is entirely volunteer driven, without any funding[1], and
that all members have other things to attend to as well, including a
life and a job that keeps each of us alive.
Next time, take a deep breath and please be patient. For me to
answer, there may sometimes be a one-week delay. For others, I can
only guess from their patterns.
That said, to your question:
In message <[EMAIL PROTECTED]> on Thu, 4 Nov 2004 08:03:51 -0500, "Ronald I. Nutter"
<[EMAIL PROTECTED]> said:
ronald_nutter> I am trying to get OpenSSL to work with Freeradius. I
ronald_nutter> am running the CA.all perl script but am getting errors
ronald_nutter> that I cant find the cause for.
Well, the first thing to realise is that there's no way for us to know
what the errors come from, since we have no clue whatsoever what
CA.all does. It's certainly not a script we have produced. The best
I can do is attempt a few guesses, based on the output.
ronald_nutter> ##################
ronald_nutter> exporting ROOT CA
ronald_nutter> CA.pl -newreq
ronald_nutter> CA.pl -signreq
ronald_nutter> openssl pkcs12 -export -in demoCA/cacert.pem -inkey
ronald_nutter> newreq.pem -out root.pem
ronald_nutter> openssl pkcs12 -in root.cer -out root.pem
ronald_nutter> ##################
ronald_nutter>
ronald_nutter> No certificate matches private key
ronald_nutter> 22411:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too
ronald_nutter> long:asn1_lib.c:140: unable to load certificate 22412:error:0906D06C:PEM
ronald_nutter> routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: TRUSTED
ronald_nutter> CERTIFICATE
With the first 'openssl pkcs12', you're producing a file called
root.pem. With the second, you're trying to use root.cer, which is a
*different* file, as input. Where would that file come from? My
guess is that whoever wrote CA.all made a mistake.
ronald_nutter> ##################
ronald_nutter> creating client certificate
ronald_nutter> name : name-clt
ronald_nutter> client certificate stored as cert-clt.pem
ronald_nutter> CA.pl -newreq
ronald_nutter> CA.pl -signreq
ronald_nutter> ##################
ronald_nutter>
ronald_nutter> Generating a 1024 bit RSA private key ........................++++++
ronald_nutter> ..++++++ writing new private key to 'newreq.pem'
ronald_nutter> -----
ronald_nutter> You are about to be asked to enter information that will be incorporated
ronald_nutter> into your certificate request. What you are about to enter is what is
ronald_nutter> called a Distinguished Name or a DN. There are quite a few fields but
ronald_nutter> you can leave some blank For some fields there will be a default value,
ronald_nutter> If you enter '.', the field will be left blank.
ronald_nutter> -----
ronald_nutter> Country Name (2 letter code) [US]:
ronald_nutter> State or Province Name (full name) [Kentucky]:
ronald_nutter> Locality Name (eg, city) [Georgetown]:
ronald_nutter> Organization Name (eg, company) [Georgetown College]: Organizational
ronald_nutter> Unit Name (eg, section) [ITS]: Common Name (eg, YOUR name) [Network
ronald_nutter> Manager]: Email Address [EMAIL PROTECTED]:
ronald_nutter>
ronald_nutter> Please enter the following 'extra' attributes
ronald_nutter> to be sent with your certificate request
ronald_nutter> A challenge password [whatever]:whatever
ronald_nutter> An optional company name []:
ronald_nutter> Using configuration from /usr/local/openssl/ssl/openssl.cnf
ronald_nutter> Enter pass phrase for ./demoCA/private/cakey.pem:
ronald_nutter> Check that the request matches the signature
ronald_nutter> Signature ok
ronald_nutter> Certificate Details:
ronald_nutter> Serial Number: 1 (0x1)
ronald_nutter> Validity
ronald_nutter> Not Before: Nov 3 19:31:02 2004 GMT
ronald_nutter> Not After : Nov 3 19:31:02 2005 GMT
ronald_nutter> Subject:
ronald_nutter> countryName = US
ronald_nutter> stateOrProvinceName = Kentucky
ronald_nutter> localityName = Georgetown
ronald_nutter> organizationName = Georgetown College
ronald_nutter> organizationalUnitName = ITS
ronald_nutter> commonName = Network Manager
ronald_nutter> emailAddress = [EMAIL PROTECTED]
ronald_nutter> X509v3 extensions:
ronald_nutter> X509v3 Basic Constraints:
ronald_nutter> CA:FALSE
ronald_nutter> Netscape Comment:
ronald_nutter> OpenSSL Generated Certificate
ronald_nutter> X509v3 Subject Key Identifier:
ronald_nutter>
ronald_nutter> 9B:F9:44:79:B8:2C:EB:07:93:59:5F:FB:22:C7:2A:79:16:E8:4F:98
ronald_nutter> X509v3 Authority Key Identifier:
ronald_nutter>
ronald_nutter> keyid:EC:B1:D2:59:87:8B:E5:6D:67:C8:0E:94:F1:DE:2C:BA:40:A4:CB:B3
ronald_nutter> DirName:/C=US/ST=Kentucky/OU=ITS/CN=Network
ronald_nutter> Manager/[EMAIL PROTECTED]
ronald_nutter> serial:00
ronald_nutter>
ronald_nutter> Certificate is to be certified until Nov 3 19:31:02 2005 GMT (365 days)
ronald_nutter> Sign the certificate? [y/n]:y
ronald_nutter>
ronald_nutter> -passin: No such file or directory
ronald_nutter> 22414:error:02001002:system library:fopen:No such file or
ronald_nutter> directory:bss_file.c:276:fopen('-passin','r')
ronald_nutter> 22414:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:278:
ronald_nutter> No certificate matches private key 22416:error:0D07207B:asn1 encoding
ronald_nutter> routines:ASN1_get_object:header too long:asn1_lib.c:140: unable to load
ronald_nutter> certificate 22417:error:0906D06C:PEM routines:PEM_read_bio:no start
ronald_nutter> line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE
-passin? How interesting. You see, some commands in OpenSSL 0.9.7{x}
and 0.9.8-dev do take a -passin option so the user can express where
the password should come from. However, CA.pl doesn use -passin, at
all, so my guess is there's another command in CA.all that's not shown
in the command synopsis above. Furthermore, from the error message,
I'm guessing someone goofed up the command so it looks somewhat like
this:
openssl {subcommand} ... -in -passin ...
That same goofup is repeated here.
ronald_nutter> ##################
ronald_nutter> creating server certificate
ronald_nutter> name : name-srv
ronald_nutter> server certificate stored as cert-srv.pem
ronald_nutter> CA.pl -newreq
ronald_nutter> CA.pl -signreq
ronald_nutter> ##################
ronald_nutter>
ronald_nutter> Generating a 1024 bit RSA private key
ronald_nutter> ........................................++++++
ronald_nutter> .........................++++++
ronald_nutter> writing new private key to 'newreq.pem'
ronald_nutter> -----
ronald_nutter> You are about to be asked to enter information that will be incorporated
ronald_nutter> into your certificate request. What you are about to enter is what is
ronald_nutter> called a Distinguished Name or a DN. There are quite a few fields but
ronald_nutter> you can leave some blank For some fields there will be a default value,
ronald_nutter> If you enter '.', the field will be left blank.
ronald_nutter> -----
ronald_nutter> Country Name (2 letter code) [US]:
ronald_nutter> State or Province Name (full name) [Kentucky]:
ronald_nutter> Locality Name (eg, city) [Georgetown]:
ronald_nutter> Organization Name (eg, company) [Georgetown College]: Organizational
ronald_nutter> Unit Name (eg, section) [ITS]: Common Name (eg, YOUR name) [Network
ronald_nutter> Manager]: Email Address [EMAIL PROTECTED]:
ronald_nutter>
ronald_nutter> Please enter the following 'extra' attributes
ronald_nutter> to be sent with your certificate request
ronald_nutter> A challenge password [whatever]:
ronald_nutter> An optional company name []:
ronald_nutter> Using configuration from /usr/local/openssl/ssl/openssl.cnf
ronald_nutter> Enter pass phrase for ./demoCA/private/cakey.pem:
ronald_nutter> Check that the request matches the signature
ronald_nutter> Signature ok
ronald_nutter> Certificate Details:
ronald_nutter> Serial Number: 1 (0x1)
ronald_nutter> Validity
ronald_nutter> Not Before: Nov 3 19:31:59 2004 GMT
ronald_nutter> Not After : Nov 3 19:31:59 2005 GMT
ronald_nutter> Subject:
ronald_nutter> countryName = US
ronald_nutter> stateOrProvinceName = Kentucky
ronald_nutter> localityName = Georgetown
ronald_nutter> organizationName = Georgetown College
ronald_nutter> organizationalUnitName = ITS
ronald_nutter> commonName = Network Manager
ronald_nutter> emailAddress = [EMAIL PROTECTED]
ronald_nutter> X509v3 extensions:
ronald_nutter> X509v3 Basic Constraints:
ronald_nutter> CA:FALSE
ronald_nutter> Netscape Comment:
ronald_nutter> OpenSSL Generated Certificate
ronald_nutter> X509v3 Subject Key Identifier:
ronald_nutter>
ronald_nutter> 5E:BC:CE:F7:C5:B1:38:54:E8:FA:2A:12:08:A9:06:25:06:55:D6:BD
ronald_nutter> X509v3 Authority Key Identifier:
ronald_nutter>
ronald_nutter> keyid:EC:B1:D2:59:87:8B:E5:6D:67:C8:0E:94:F1:DE:2C:BA:40:A4:CB:B3
ronald_nutter> DirName:/C=US/ST=Kentucky/OU=ITS/CN=Network
ronald_nutter> Manager/[EMAIL PROTECTED]
ronald_nutter> serial:00
ronald_nutter>
ronald_nutter> Certificate is to be certified until Nov 3 19:31:59 2005 GMT (365 days)
ronald_nutter> Sign the certificate? [y/n]:y
ronald_nutter>
ronald_nutter> -passin: No such file or directory
ronald_nutter> 22419:error:02001002:system library:fopen:No such file or
ronald_nutter> directory:bss_file.c:276:fopen('-passin','r')
ronald_nutter> 22419:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:278:
ronald_nutter> No certificate matches private key 22421:error:0D07207B:asn1 encoding
ronald_nutter> routines:ASN1_get_object:header too long:asn1_lib.c:140: unable to load
ronald_nutter> certificate 22422:error:0906D06C:PEM routines:PEM_read_bio:no start
ronald_nutter> line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE
If you want me to help you fix CA.all, I'll be happy to. However,
that's something I regard as consultancy, so I'll only do it for a
fee.
-----
[1] except for the small sums we've received as individuals. I'm
personally grateful for what I have received.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
