Hello there

I'm trying to generate an SSL certificate. This is the process I've been following:

[root@Lobster1 private]# openssl genrsa -out server.key 1024
Generating RSA private key, 1024 bit long modulus
............++++++
......++++++
e is 65537 (0x10001)

[root@Lobster1 private]# chmod 400 server.key

[root@Lobster1 private]# openssl req -new -key server.key -out server.csr
<some questions - no errors>

[root@Lobster1 private]# openssl genrsa -des3 -out ca.key 1024
Generating RSA private key, 1024 bit long modulus
....................++++++
.....++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:

[root@Lobster1 private]# openssl req -new -x509 -days 365 -key ca.key -out ca.csr
<more questions, no errors>

[root@Lobster1 private]# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
30075:error:0906D06C:PEM routines:PEM_read_bio:no start lineem_lib.c:632:Expecting: CERTIFICATE REQUEST

And that's the obvious problem. Now I can make it not fail by leaving out the -req switch, but the sign.sh program gives completely odd outputs AND also gives two errors if i do that:

Personally it seems to me that the -req should be in there because the guide i'm working of has it (Apache Essential - D.J. Harkness) in there.

Any ideas on how to fix this? it is on a Mandrake 10.0 (official) version of GNU/Linux with it's September 2003 version of SSL 0.9.3c i think it was (installing a newer version right now).

after this point: # openssl req -new -x509 -days 365 -key ca.key -out ca.csr

convert the x509 certificate to a certificate request:
# openssl x509 -x509toreq -days 365 -in ca.csr -signkey ca.key -out ca.req

and then use the final signing:
# openssl x509 -req -days 365 -in ca.req -signkey ca.key -out ca.crt

I hope I could helped.

I used what bbk suggested, and got a little further. However when i sign it, it still fails. There are two obvious problems:

1) the period to be certified for is different - i specified 365 days, but it exclaims 2002. (which isn't even cleanly divisible by 365 so i don't know what happened there).

and 2) Two errors appear before the script terminates. Now i am aware that i am generating a certificate for our own use and it is self issued (and thus signed). Is that the issue?


The log of the last few steps:

Certificate is to be certified until Aug 12 10:07:00 2010 GMT (2002 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: /C=AU/ST=NSW/L=Somewhere/O=SNIP/OU=SNIP/CN=www.snip.com.au/emailAddress=root@snip.com.au
error 18 at 0 depth lookup:self signed certificate
/C=AU/ST=NSW/L=Somewhere/O=SNIP/OU=SNIP/CN=www.snip.com.au/emailAddress=root@snip.com.au
error 7 at 0 depth lookup:certificate signature failure

PS I replaced some of the real data in there with SNIP :P

1) I do not know how you generated the certificate from the request but as I wrote, it is 365 days... you can check your x509 certificate with the command

openssl x509 -text -in ca.crt

(as in my example it shows:
Validity
Not Before: Feb 21 09:12:31 2005 GMT
Not After : Feb 21 09:12:31 2006 GMT)

2) yes, this is a self signed certificate, and for a default accepted certificate it should have a valid signature chain (it means that the root certificate must be a globally accepted certificate provider, like Verisign, or so)
Another way for an internal, e.g. corporal, home use, developer network, etc, is that you create an own, self signed CA (Certificate Authority) and you import to each of your client's its root certificate as a trusted certificate.
Afterwards you use this CA as the root CA of each of your other, e.g. script signing certificate's "signer", so your clients will be using your signed certificate as a trusted and valid certificate.

Check this OpenSSL Howto pages:
http://sapiens.wustl.edu/~sysmain/in...nssl_cert.html
http://sapiens.wustl.edu/~sysmain/in...penssl_ca.html

sweet, i'll take a look at those

check out the -trustout option in "openssl x509".
also when signing using "openssl smime" explicitly mention the "-inkey".


Frank