I'm attempting to use CA.pl on a Solaris 10 Sparc
system. OpenSSL is provided on the distribution CD's
(OpenSSL 0.9.7d 17 Mar 2004). I use the following
commands:
1. CA.pl -newca
2. CA.pl -newreq
3. CA.pl -signreq {problems at this step}
During the signreq, the program cannot open the CA
private key and produces a core file:
---------
Using configuration from /etc/sfw/openssl/openssl.cnf
Error opening CA private key
/etc/sfw/openssl/private/cakey.pem
20715:error:0E06D06C:configuration file
routines:NCONF_get_string:no
value:/on10/builds/on10_74l3/usr/src/common/openssl/crypto/conf/conf_lib.c:329:group=CA_default
name=unique_subject
20715:error:0200100D:system library:fopen:Permission
denied:/on10/builds/on10_74l3/usr/src/common/openssl/crypto/bio/bss_file.c:276:fopen('/etc/sfw/openssl/private/cakey.pem','r')
20715:error:20074002:BIO routines:FILE_CTRL:system
lib:/on10/builds/on10_74l3/usr/src/common/openssl/crypto/bio/bss_file.c:278:
unable to load CA private key
Signed certificate is in newcert.pem
------
The file "newcert.pem" is not created.
The CA private key apparently is contained in
"./demoCA/private/cakey.pem".
Should I use a custom openssl.cnf to fix this problem?
Or modify CA.pl?
Thanks,
-David
--- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote:
> On Tue, Nov 08, 2005, david kine wrote:
>
> > In the book "Network Security with OpenSSL" on
> pages
> > 124-125 is a list of OpenSSL commands to create a
> root
> > CA, and a server CA signed with the root CA.
> >
> > My question is, how would I use the openssl CA
> command
> > to revoke the server CA certificate by the root
> CA,
> > and generate a CRL?
> >
> > I have tried "openssl ca -revoke ....." and
> "openssl
> > ca -crl ......" without success.
> >
> > ----
> >
> > Here are the commands to create the root CA:
> >
> > 1. openssl req -newkey rsa:1024 -sha1 -keyout
> > rootkey.pem -out rootreq.pem
> >
> > 2. openssl x509 -req -in rootreq.pem -sha1
> > -extensions v3_ca -signkey rootkey.pem -out
> > rootcert.pem
> >
> > 3. cat rootcert.pem rootkey.pem > root.pem
> >
> > And to create the server CA signed by the root CA:
> >
> > 4. openssl req -newkey rsa:1024 -sha1 -keyout
> > serverCAkey.pem -out serverCAreq.pem
> >
> > 5. openssl x509 -req -in serverCAreq.pem -sha1
> > -extensions v3_ca -CA root.pem -CAkey root.pem
> > -CAcreateserial -out serverCAcert.pem
> >
> > 6. cat serverCAcert.pem serverCAkey.pem
> rootcert.pem
> > > serverCA.pem
> >
>
> The 'ca -gencrl' option will only directly work on a
> CA that is generated by
> the 'ca' command. Some guides still tell you to
> create certificates manually
> using the 'x509' command.
>
> If you can instead use the CA.pl script to generate
> the certificates then the
> revoke and gencrl options should work.
>
> Alternatively if you need to use the existing
> certificates you can create the
> necessary structure with CA.pl -newca and give it
> the root CA certificate file
> when prompted.
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys:
> see homepage
> OpenSSL project core developer and freelance
> consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
>
______________________________________________________________________
> OpenSSL Project
> http://www.openssl.org
> User Support Mailing List
> openssl-users@openssl.org
> Automated List Manager
> [EMAIL PROTECTED]
>
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
