> From: owner-openssl-us...@openssl.org On Behalf Of andrew.luke > Sent: Thursday, 04 June, 2009 09:11
> I've been trying to generate a self signed certificate to get > SSL working on a very simple internal web server. I'm using > a windows server 2003 box so I got the open SSL windows > binaries from > http://www.slproweb.com/products/Win32OpenSSL.html. Using a > HOWTO I found here > http://www.sitepoint.com/article/securing-apache-2-server-ssl/ > I used the following command to try and generate a cert: > > openssl req -new -key domainname.com.key -x509 -out sslname.crt > > I got an error on that one so I tried a command the > openssl.org documentation had: > > openssl req -new -key privkey.pem -out cert.csr > Note this second way won't generate a cert; it will generate a CSR (Certificate Signing Request) which you can then turn into a cert. That's also a valid approach, but slightly more complicated. The combination of -new -x509 generates a selfsigned cert; -new without -x509 generates a CSR. (No -new at all allows you to display, or manipulate, an already existing CSR.) > Again I got an error like this: > Error opening Private Key privkey.pem > 3924:error:02001002:system library:fopen:No such file or > directory:.\crypto\bio\bss_file.c:356:fopen > 3924:error:20074002:BIO routines:FILE_CTRL:system > lib:.\crypto\bio\bss_file.c:358: > unable to load Private Key > > Any idea what the problem is? Yeah, the privatekey file doesn't exist, as it says. req -new [-x509] generates CSR-or-cert FOR AN EXISTING KEY. If you want the req command to generate the key itself, you also need -newkey parms and -keyout file, or use a config containing default_bits (RSA only) and default_keyfile. If you want to generate the key separately with openssl, first use genrsa, or gendsa and optionally dsaparam. If you want to use a key imported from elsewhere, describe in detail, but you're usually better off creating the cert or at least CSR in that elsewhere instead of openssl. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
