LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 02-15-2005, 10:42 PM   #1
chakkerz
Member
 
Registered: Dec 2002
Location: Brisbane, Australia
Distribution: RedHat (RHEL, FC, CentOS), openSuSE, Mac OS X
Posts: 653

Rep: Reputation: 32
OpenSSL x509: Expecting: CERTIFICATE REQUEST


Hello there

I'm trying to generate an SSL certificate. This is the process I've been following:

[root@Lobster1 private]# openssl genrsa -out server.key 1024
Generating RSA private key, 1024 bit long modulus
............++++++
......++++++
e is 65537 (0x10001)

[root@Lobster1 private]# chmod 400 server.key

[root@Lobster1 private]# openssl req -new -key server.key -out server.csr
<some questions - no errors>

[root@Lobster1 private]# openssl genrsa -des3 -out ca.key 1024
Generating RSA private key, 1024 bit long modulus
....................++++++
.....++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:

[root@Lobster1 private]# openssl req -new -x509 -days 365 -key ca.key -out ca.csr
<more questions, no errors>

[root@Lobster1 private]# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
30075:error:0906D06C:PEM routines:PEM_read_bio:no start lineem_lib.c:632:Expecting: CERTIFICATE REQUEST

And that's the obvious problem. Now I can make it not fail by leaving out the -req switch, but the sign.sh program gives completely odd outputs AND also gives two errors if i do that:

Personally it seems to me that the -req should be in there because the guide i'm working of has it (Apache Essential - D.J. Harkness) in there.

Any ideas on how to fix this? it is on a Mandrake 10.0 (official) version of GNU/Linux with it's September 2003 version of SSL 0.9.3c i think it was (installing a newer version right now).
 
Old 02-16-2005, 05:48 AM   #2
bbk
Member
 
Registered: Jan 2005
Location: Budapest/Hungary
Distribution: knoppix-hdd/debian
Posts: 56

Rep: Reputation: 15
after this point: # openssl req -new -x509 -days 365 -key ca.key -out ca.csr

convert the x509 certificate to a certificate request:
# openssl x509 -x509toreq -days 365 -in ca.csr -signkey ca.key -out ca.req

and then use the final signing:
# openssl x509 -req -days 365 -in ca.req -signkey ca.key -out ca.crt

I hope I could helped.
 
Old 02-16-2005, 06:04 PM   #3
chakkerz
Member
 
Registered: Dec 2002
Location: Brisbane, Australia
Distribution: RedHat (RHEL, FC, CentOS), openSuSE, Mac OS X
Posts: 653

Original Poster
Rep: Reputation: 32
I used what bbk suggested, and got a little further. However when i sign it, it still fails. There are two obvious problems:

1) the period to be certified for is different - i specified 365 days, but it exclaims 2002. (which isn't even cleanly divisible by 365 so i don't know what happened there).

and 2) Two errors appear before the script terminates. Now i am aware that i am generating a certificate for our own use and it is self issued (and thus signed). Is that the issue?


The log of the last few steps:

Certificate is to be certified until Aug 12 10:07:00 2010 GMT (2002 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: /C=AU/ST=NSW/L=Somewhere/O=SNIP/OU=SNIP/CN=www.snip.com.au/emailAddress=root@snip.com.au
error 18 at 0 depth lookup:self signed certificate
/C=AU/ST=NSW/L=Somewhere/O=SNIP/OU=SNIP/CN=www.snip.com.au/emailAddress=root@snip.com.au
error 7 at 0 depth lookup:certificate signature failure

PS I replaced some of the real data in there with SNIP :P
 
Old 02-21-2005, 03:23 AM   #4
bbk
Member
 
Registered: Jan 2005
Location: Budapest/Hungary
Distribution: knoppix-hdd/debian
Posts: 56

Rep: Reputation: 15
1) I do not know how you generated the certificate from the request but as I wrote, it is 365 days... you can check your x509 certificate with the command

openssl x509 -text -in ca.crt

(as in my example it shows:
Validity
Not Before: Feb 21 09:12:31 2005 GMT
Not After : Feb 21 09:12:31 2006 GMT)

2) yes, this is a self signed certificate, and for a default accepted certificate it should have a valid signature chain (it means that the root certificate must be a globally accepted certificate provider, like Verisign, or so)
Another way for an internal, e.g. corporal, home use, developer network, etc, is that you create an own, self signed CA (Certificate Authority) and you import to each of your client's its root certificate as a trusted certificate.
Afterwards you use this CA as the root CA of each of your other, e.g. script signing certificate's "signer", so your clients will be using your signed certificate as a trusted and valid certificate.

Check this OpenSSL Howto pages:
http://sapiens.wustl.edu/~sysmain/in...nssl_cert.html
http://sapiens.wustl.edu/~sysmain/in...penssl_ca.html
 
Old 02-23-2005, 03:55 AM   #5
chakkerz
Member
 
Registered: Dec 2002
Location: Brisbane, Australia
Distribution: RedHat (RHEL, FC, CentOS), openSuSE, Mac OS X
Posts: 653

Original Poster
Rep: Reputation: 32
sweet, i'll take a look at those
 
Old 06-10-2010, 11:28 AM   #6
fgordonie
LQ Newbie
 
Registered: Jun 2010
Posts: 2

Rep: Reputation: 0
Make sure you...

check out the -trustout option in "openssl x509".
also when signing using "openssl smime" explicitly mention the "-inkey".


Frank
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
why can't i generate a new certificate with openssl? achouramira Linux - Security 1 04-28-2005 07:15 AM
OpenSSL + Apache certificate, how? The_Nerd Linux - Software 2 12-26-2004 09:18 PM
Thawte Certificate and OpenSSL jqcaducifer Linux - Security 5 10-16-2003 06:43 PM
Certificate with OpenSSL gr33ndata Linux - Security 3 10-03-2003 07:39 AM
Help with x509 certificate and freeswan cmisip Linux - Security 3 08-18-2003 11:18 PM


All times are GMT -5. The time now is 11:22 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration