Re: revoking certs and generating crl's

Wed, 09 Nov 2005 12:59:24 -0800 

On Wed, Nov 09, 2005, david kine wrote:

> I'm attempting to use CA.pl on a Solaris 10 Sparc
> system.  OpenSSL is provided on the distribution CD's
> (OpenSSL 0.9.7d 17 Mar 2004).  I use the following
> commands:
> 
> 1.  CA.pl -newca
> 2.  CA.pl -newreq
> 3.  CA.pl -signreq      {problems at this step}
> 
> During the signreq, the program cannot open the CA
> private key and produces a core file:
> 
> ---------
> 
> Using configuration from /etc/sfw/openssl/openssl.cnf
> Error opening CA private key
> /etc/sfw/openssl/private/cakey.pem
> 20715:error:0E06D06C:configuration file
> routines:NCONF_get_string:no
> value:/on10/builds/on10_74l3/usr/src/common/openssl/crypto/conf/conf_lib.c:329:group=CA_default
> name=unique_subject
> 20715:error:0200100D:system library:fopen:Permission
> denied:/on10/builds/on10_74l3/usr/src/common/openssl/crypto/bio/bss_file.c:276:fopen('/etc/sfw/openssl/private/cakey.pem','r')
> 20715:error:20074002:BIO routines:FILE_CTRL:system
> lib:/on10/builds/on10_74l3/usr/src/common/openssl/crypto/bio/bss_file.c:278:
> unable to load CA private key
> Signed certificate is in newcert.pem
> 
> ------
> 
> The file "newcert.pem" is not created.
> 
> The CA private key apparently is contained in
> "./demoCA/private/cakey.pem".
> 
> Should I use a custom openssl.cnf to fix this problem?
>  Or modify CA.pl?
> 

Looks like they've modified openssl.cnf already but haven't changed CA.pl to
suit.

You could try a standard openssl.cnf (e.g. from a standard distribution on
www.openssl.org) and using the OPENSSL_CONF environment variable to point to 
it. 

Alternatively try compiling up a more recent version of OpenSSL and using
that.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to