From: [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, 03 November, 2008 11:38
I am trying to sign a cert I created using Cleo Lexicom, but get the below error. C:\OpenSSL\bin>openssl x509 -req -days 1825 -in owi_inter_root.csr -CA owi_inter _root.cer -CAkey owi_inter_root.pem -set_serial 01 -out owi_server.crt <snip> unable to load CA Private Key To be exact, this is trying to create (and sign) a certificate from a CSR which you presumably created as stated. (A cert contains most of the data from the CSR, but not all, and in a different format, and adds other.) Your .csr is for the same entity as the .cer you specify as CA, which is selfsigned but not marked as CA, so this would just produce another selfsigned (and unmarked) cert, which doesn't appear to accomplish much. C:\OpenSSL\bin>openssl req -new -x509 -days 1825 -key owi_inter_root.pem -out te st.crt unable to load Private Key <snip: plus attachments> And this would create (and sign) a selfsigned cert for the presumably same key, but a possibly different name and certainly(?) serial and period. Your owi_inter_root.pem is labelled as BEGIN/END PRIVATE KEY (meaning clear) but appears to actually be a PKCS8 pbe-encrypted bag, presumably containing the key. If this is really the key you want to use for your CA, change the labels to BEGIN/END ENCRYPTED PRIVATE KEY, and supply the passphrase. And preferably you should change (regenerate) the related cert to be a CA and allow certsigning (or equivalent). But you already have a selfsigned .cer, presumably created by whatever. If what you want is a cert signed by a distinct CA, you need to use the CAkey and CAcert and configuration (and policy if any) for that CA.
