RE: index.txt: library:fopen:No such file or directory ...index.txt when generate csr key.

Mon, 04 May 2009 03:05:26 -0700 

To answer to your question : 

does the index.txt file exist : no 
does serial file exist and contain a serial number, as required  : no

How to generate index.txt and serial file ?


-------- Message initial --------
De: Dave Thompson <dave.thomp...@princetonpayments.com>
Reply-to: openssl-users@openssl.org
À: openssl-users@openssl.org
Sujet: RE: index.txt: library:fopen:No such file or
directory ...index.txt when generate csr key.
Date: Sun, 3 May 2009 20:27:50 -0400


>       From: owner-openssl-us...@openssl.org On Behalf Of David Touzeau
>       Sent: Sunday, 03 May, 2009 17:52

>       I'm trying to genrate opevpn keys.

>       openssl req -batch -days 3650 -nodes -new -newkey rsa:1024 -sha1
-x509 -keyout "/etc/openvpn/keys/ca.key" -out "/etc/openvpn/keys/ca.crt"
-config /etc/openvpn/openssl.cnf
        
>       openssl req -batch -days 3650 -nodes -new -newkey rsa:1024 -keyout
-out "/etc/openvpn/keys/SERVER.csr" -extensions server -config
"/etc/openvpn/openssl.cnf"
        
>       openssl ca -batch -days 3650 -out "/etc/openvpn/keys/SERVER.crt" -in
"/etc/openvpn/keys/SERVER.csr" -extensions server -md sha1 -config
"/etc/openvpn/openssl.cnf"
        
>       Using configuration from /etc/openvpn/openssl.cnf
>       /etc/openvpn/keys/index.txt: No such file or directory
<snip rest>

Well, does the index.txt file exist, as required?
To preempt your likely next question, does the 
serial file exist and contain a serial number, as required?
See the descriptions of 'database' and 'serial' in man ca .

Nits- I would put md=sha1 in the config file as permanent, 
there is no good reason for a CA today ever to use md5.
You don't need quotes on pathnames containing no special chars.

On the second req (for SERVER) you need a pathname after -keyout,
and I presume you actually had one or you would have gotten an error.
Also on that req, -days is ignored without -x509; only the value 
in the ca config or on the ca commandline (you have both) is used.

And using the [req_distinguished_name] section you showed with -batch 
will give you undescriptive names. And using the same (file and) DNsection 
for both CA (cert) and SERVER (req->cert) is likely to cause confusion
later, 
although using AKID=keyid as you did may be enough for software to work.



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to