It's best if you tag your in/out files with '.pem', '.csr', '.crt'. I
realize that UNIX doesn't deal with file extensions, but it goes a
LONG way to help with debugging.
Do you have a file called ./private/ca-key.pem? It is looking for the
CA's private key, which is located in the same file as the CA's
certificate [used for getting the authority information]. It's
supposed to be in a PEM (base-64, i.e. text)-encoded form, containing
a TRUSTED CERTIFICATE and a PRIVATE KEY.
If you don't have it set up properly, it will throw an error. Try
going through the CA howto on the openssl website, creating a new CA,
and looking at the format of the contents of the files associated with
each step of the process.
-Kyle H
On 12/15/06, Alex <[EMAIL PROTECTED]> wrote:
On Thu, 14 Dec 2006 12:03:28 -0700
"Kyle Hamilton" <[EMAIL PROTECTED]> wrote:
> If you use 'openssl x509 -x509toreq' it will create a request from an
> X.509 object.
> If you use 'openssl req -x509' it will create an X.509 object instead
> of a request.
>
> However, the appropriate solution to this problem is to use 'openssl
> x509 -inform der -in test -text -noout'. It's expecting a trusted
> certificate in PEM (aka base-64 encoded or ascii-armored) format.
> '-inform der' tells it to expect a DER-encoded bytestream.
>
> Cheers,
>
> -Kyle H
>
The real issue here is that I can not sign anything.
'test' is indeed a valid certificate request:
$ openssl req -in test -text -noout
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
[etc]
$ openssl ca -verbose -config openssl.cnf -in test -out test.crt
Using configuration from openssl.cnf
Enter pass phrase for ./private/ca-key.pem:
unable to load certificate
2055:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:644:Expecting: TRUSTED CERTIFICATE
The ca command is expecting a trusted certificate? The manual says:
-in filename
an input filename containing a single certificate request to be signed
by the CA.
I don't get it. Why does the man page say that -in is supposed to be a
certificate request when using -in results in an error saying it needs
a certificate?
--
Alex
--
-Kyle H
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
