hi all,
While creating certificate for our openLDAP directory server,the file
with CA certificate(cacert.pem) is not getting created when i run the
CA.sh script.We are using openssl-0.9.8g.Our LDAP is openLDAP-2.4.7.please
help.please find the enclosed document and guide me if i went wrong in any
of the steps.
our directory server is on Redhat linux machine.
our ssl is in /usr/local/ssl and we are creating the certificate from the
/home/access/myca directory.
I have enclosed the error document here:
Thanks,
padmavathi.
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
step1:
when entered this command /usr/local/ssl/misc/CA.sh -newca,
The output is:
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
...........++++++
.......................................++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:IN
State or Province Name (full name) [Berkshire]:Haryana
Locality Name (eg, city) [Newbury]:Gurgaon
Organization Name (eg, company) [My Company Ltd]:bsnl com
Organizational Unit Name (eg, section) []:delhi
Common Name (eg, your name or your server's hostname) []:as3
Email Address []:[EMAIL PROTECTED]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:challenge1234
An optional company name []:TCS
unknown option -selfsign
usage: ca args
-verbose - Talk alot while doing things
-config file - A config file
-name arg - The particular CA definition to use
-gencrl - Generate a new CRL
-crldays days - Days is when the next CRL is due
-crlhours hours - Hours is when the next CRL is due
-startdate YYMMDDHHMMSSZ - certificate validity notBefore
-enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days)
-days arg - number of days to certify the certificate for
-md arg - md to use, one of md2, md5, sha or sha1
-policy arg - The CA 'policy' to support
-keyfile arg - private key file
-keyform arg - private key file format (PEM or ENGINE)
-key arg - key to decode the private key if it is encrypted
-cert file - The CA certificate
-in file - The input PEM encoded certificate request(s)
-out file - Where to put the output file(s)
-outdir dir - Where to put output certificates
-infiles .... - The last argument, requests to process
-spkac file - File contains DN and signed public key and challenge
-ss_cert file - File contains a self signed cert to sign
-preserveDN - Don't re-order the DN
-noemailDN - Don't add the EMAIL field into certificate' subject
-batch - Don't ask questions
-msie_hack - msie modifications to handle all those universal strings
-revoke file - Revoke a certificate (given in file)
-subj arg - Use arg instead of request's subject
-extensions .. - Extension section (override value in config file)
-extfile file - Configuration file with X509v3 extentions to add
-crlexts .. - CRL extension section (override value in config file)
-engine e - use engine e, possibly a hardware device.
-status serial - Shows certificate status given the serial number
-updatedb - Updates db for expired certificates
step2:Server signing request
when entered this command,
$openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
The output is:
Generating a 1024 bit RSA private key
..++++++
.....++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:IN
State or Province Name (full name) [Berkshire]:Haryana
Locality Name (eg, city) [Newbury]:Gurgaon
Organization Name (eg, company) [My Company Ltd]:bsnl com
Organizational Unit Name (eg, section) []:delhi
Common Name (eg, your name or your server's hostname) []:as3
Email Address []:[EMAIL PROTECTED]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:challenge1234
An optional company name []:TCS
The above step created newreq.pem.
step3:
For having the CA signed,
$/usr/share/ssl/misc/CA.sh -sign
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Error opening CA certificate ./demoCA/cacert.pem
21797:error:02001002:system library:fopen:No such file or directory:bss_file.c:2
59:fopen('./demoCA/cacert.pem','r')
21797:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:261:
unable to load certificate
cat: newcert.pem: No such file or directory
Signed certificate is in newcert.pem
Also cacert.pem file is not getting created in step 1.
