> From: owner-openssl-us...@openssl.org On Behalf Of Llenlleawg > Sent: Saturday, 12 December, 2009 15:17
> Here is a brief outline of what I'm trying to do. I'm trying > to create a > certificate signed by my own CA and private key. > > I followed the steps on the following site to setup my own CA. > > http://www.mobilefish.com/developer/openssl/openssl_quickguide > _create_ca.html > > and then followed the steps on this page to try to create the > certificate. > > http://www.mobilefish.com/developer/openssl/openssl_quickguide > _ca_certificate.html > > My problem is when I get to step 7 on the second page. I receive the > following error when I run the command in step 7. > > C:\OpenSSL\bin>openssl rsa < newreq.pem > newkey.pem > unable to load Private Key > 6068:error:0906D06C:PEM routines:PEM_read_bio:no start > line:.\crypto\pem\pem_lib.c:650:Expecting: ANY PRIVATE KEY > They appear to have been confused/misled and not tested. Some older versions of 'CA.pl newreq' (and newreq-nodes), in particular 0.9.7d which they identify and I happen to have to hand on an old system, incorrectly says at the end: Request (and private key) is in newreq.pem but in fact the request is in newreq.pem and the privkey is in newkey.pem. As they should be, because a CSR does not, and in general for security MUST not, contain the privkey. If you just skip their step 7 it looks like it should work. Aside: their description at the top of the page isn't quite correct. Assuming kRSA, as they apparently do, the browser (client) doesn't choose and send the actual sessionkey, rather the premaster secret which is used to derive the sessionkeys (there are actually two, encryption and MAC). ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
