Sigh. But if you READ THE MAN PAGE FOR X509 YOU WOULD SEE THAT IF THERE IS NO -CASERIAL FILE SPECIFIED IT LOOKS IN A FILE WITH THE SAME NAME AS THE SIGNING CERT BUT WITH A SRL SUFFIX.
So if you put the two ASCII characters 1A into a file called cacert.srl you would expect the certificate that is produced to have serial number 25 and the file to contain 1B after all the smoke has cleared.
Honestly, you'd think after you led the horse to within two feet of the river he would figure it out...
Rohan Pinto wrote:
I keep getting a error when i try this.
i generated privkey.pem by using
./openssl genrsa -out privkey.pem 2048
AND cacert.pem by using ./openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
Then I generated a CSR from my webserver (on a different domain/different box different instalce altogether) named it mev.csr.pem transfered that file over to the box running openssl.
./openssl x509 -req -in mev.csr.pem -CA cacert.pem -CAkey rivkey.pem -days 1024 -out mev.cert.pem Signature ok subject=/C=US/ST=California/L=San Jose/O=MEV DEMO LAB SERVER/OU=RandD/CN=www.mev.com Getting CA Private Key Enter PEM pass phrase: cacert.srl: No such file or directory 2279:error:02001002:system library:fopen:No such file or directory:bss_file.c:245:fopen('cacert.srl','r') 2279:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:247:
looks like it's looking for a file cacert.srl, but I never specified this filename,
any insight on this
Rohan ----- Original Message ----- From: "Charles B Cranston" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, August 19, 2003 12:21 PM Subject: Re: Newbie question - Signing CSR's
toRohan Pinto wrote: >I wrote
What you need to do is:
1. create a root certificate 2. install that root certificate into all your web browsers 3. create a CSR on the server 4. use the root to sign that CSR into a server certificate
This is the part that i would need help on. I have created a root certificate, I've imported that into all my web browsers and also on the webserver. I have also crested a cSR from the webserver. I dont know how
would atsign the CSR .... If I could get some advise on jow to sign a CSR i
webserversleats get an understanding of the flow. From what i have understood so far... I used the rootCA private key while signing the CSR. The
thatpublic key is sittign somewhere on the webserver. i would need to use
amkey to sign the CSR. The question is. how do i get that key?. Also.... I
CSR.confused as i believed that the webservers key would be embedded in the
You are doing fine until you get to "signing the CSR with the webserver's public key which is sitting somewhere on the webserver."
Important theoretical points
1. The CSR "IS" the webserver's public key, plus some ID info
2. The CSR is made INTO the Certificate by signing with the root's private key (not any server key nor any public key)
3. The webserver's PRIVATE key is the one sitting somewhere on the webserver
4. The Certificate IS the webserver's public key (as obtained from the CSR) and is SIGNED using the root's private key. Why? So the root's public key, which EVERYBODY has access to, can be used to VERIFY that the certificate has not been forged.
So, take the CSR from the webserver machine to the machine where you are running OpenSSL. Sign the CSR into a certificate using the private key from the root certificate. This can be done with either the "ca" tool (or something like CA.PL which calls it) or with the "x509" tool. Take the certificate back and install it into the webserver. The way to do this varies from webserver to webserver but go to
http://www.ssl.com/support/installation.jsp
and look at the menu over on the right hand side. Find your webserver software and see if they have good installation documentation. This is a VERY well done web site.
5. install the server certificate on the server
Wish i could get some pointers on the the steps to sign a CSR thats generated from a webserver (which resides on abcd.com domain) using
> openssl that resides on (xyz.com)
on xyz.com:
ftp abcd.com get server.csr.pem quit openssl x509 -req -in server.csr.pem \ -CA root.cert.pem -CAkey root.key.pem <more options> \ -out server.cert.pem ftp abcd.com put server.cert.pem
Under <more options> there is -CAserial to set a serial number, maybe -sha1 to use SHA instead of MD5 as a hash, -days to set the certificate lifetime, etc. Some of these things can be set in the OpenSSL configuration file. I'd look at "man x509".
Alternatively, signing can be done with the "ca" tool, but I'm not so familiar with it. It requires an infrastructure of a data file and a serial number file and directories of various things etc and since I based our database on Oracle it seemed too high-level and high-maintenance to use. Unfortunately it seems I need to use it for my personal identity and privacy PKIs since "x509" doesn't seem to know how to process a SPKIX file.
Sorry about my somewhat fuzzy (and in some places WRONG) answer before. I should REALLY learn not to type anything in before noon.
-- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
-- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
