Re: CA Issues
Paddy Tollan wrote: > Hi this is the contents of the file openssl.cnf as I have typed it [...] OK. I've copied and pasted what you've posted here, and followed the summary at http://www.eclectica.ca/howto/ssl-cert-howto.php#summy and I cannot get it to fail in the way that you described: mkdir /root/CA cd /root/CA cat >openssl.cnf# Copied and pasted from your message mkdir newcerts private echo '01' >serial touch index.txt openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 365 -config ./openssl.cnf openssl req -new -nodes -out req.pem -config ./openssl.cnf openssl ca -out cert.pem -config ./openssl.cnf -infiles req.pem # Error "commonName field needed to be supplied and was missing" The error was expected, due to having omitted the mandatory commonName field (which is really most of what these certificates are all about). At every point where I was required to enter something, I just hit [Enter]. The exception to this is for the CA password, for which I used a trivial word. Can you reproduce this, or do you still get your original error as described? Chris -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/frgtn8xojm@news.roaima.co.uk
Re: CA Issues
On Sat, 29 Oct 2011 03:02:43 +, Paddy Tollan wrote: >> From: chris-use...@roaima.co.uk >> Subject: Re: CA Issues >> Date: Fri, 28 Oct 2011 16:16:46 +0100 To: debian-user@lists.debian.org >> >> Paddy Tollan wrote: >> > first sorry for the HTML the output from the output of ls -l >> > /root/CA/* is >> [...] >> > -rw-r--r-- 1 root root 2110 openssl.cnf >> >> >> It seems that your keyboard has run out of fullstops and commas. Can I >> please suggest that you get it filled up again, so that your writing >> becomes easier to understand. >> >> That's not the openssl.cnf available following instructions at >> http://www.eclectica.ca/howto/ssl-cert-howto.php#summy for download at >> ftp://ftp.binarytool.com/pub/linux/ssl/openssl.cnf. Even if you have >> copied and pasted, and included the (invalid) Begin/End labels, that >> should still be only 1932 bytes. >> >> Can you tell us how you have customised it? > Hi this is the contents of the file openssl.cnf as I have typed it: (...) It looks that you have edited too much and also the directory paths, why? :-? Use the given configuration file "as is¹" (do not copy/paste its content but full download the file), open it with your preferred text editor, change just the company details to match yours and try again. ¹ftp://ftp.binarytool.com/pub/linux/ssl/openssl.cnf Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2011.10.29.09.59...@gmail.com
RE: CA Issues
Hi this is the contents of the file openssl.cnf as I have typed it: #---Begin- # #OpenSSL configuration file. [ ca ] default_ca = CA_default [ CA_default ] dir= /root/CA serial = $dir/serial database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/cacert.pem private_key = $dir/private/cakey.pem default_days = 365 default_md = md5 preserve = no email_in_dn = no nameopt = default_ca certopt = default_ca policy = policy_match [ policy_match ] countryName= match stateOrProvinceName= match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 1024 # Size of keys default_keyfile = key.pem # name of generated keys default_md = md5 # message digest algorithm string_mask = nombstr # permitted characters distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] # Variable name Prompt string #- --- O.organizationName = Organization Name (company) organizationalUnitName = Organizational Unit Name (department, division) emailAddress= Email Address emailAddress_max= 40 localityName= Locality Name (city, district) stateOrProvinceName = State or Province Name (full name) countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 commonName = Common Name (hostname, IP, or your name) commonName_max = 64 # Default values for the above info # Variable nameValue # - O.organizationName_default = Paddys Computer Services localityName_default = New Zealand stateOrProvinceName_default = Timaru countryName_default = NZ [ v3_ca ] basicConstraints = CA: TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always [ v3_req ] basicConstraints= CA: FALSE subjectKeyIdentifier = hash #---End--- All the directories and files exist > From: chris-use...@roaima.co.uk > Subject: Re: CA Issues > Date: Fri, 28 Oct 2011 16:16:46 +0100 > To: debian-user@lists.debian.org > > Paddy Tollan wrote: > > first sorry for the HTML the output from the output of ls -l /root/CA/* is > [...] > > -rw-r--r-- 1 root root 2110 openssl.cnf > > > It seems that your keyboard has run out of fullstops and commas. Can > I please suggest that you get it filled up again, so that your writing > becomes easier to understand. > > That's not the openssl.cnf available following instructions at > http://www.eclectica.ca/howto/ssl-cert-howto.php#summy for download at > ftp://ftp.binarytool.com/pub/linux/ssl/openssl.cnf. Even if you have > copied and pasted, and included the (invalid) Begin/End labels, that > should still be only 1932 bytes. > > Can you tell us how you have customised it? > > Cheers, > Chris > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/tjtqn8x18g@news.roaima.co.uk > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/snt142-w46fd994fb102205e580ce1ab...@phx.gbl
Re: CA Issues
On Fri, 28 Oct 2011 09:40:07 +, Paddy Tollan wrote: >> > Hi I am trying to generate a self signed CA certificate for a debian >> > mail server I am able to start the process but when it comes to >> > signing >> > the certificate eg running the command openssl ca -out cert.pem >> > -config ./openssl.cnf -infiles req.pem >> > >> > I get the error msg "error opening CA private key >> > CA/private/cakey.pem no such file or directory error opening private >> > key the directory and file is there at /root/CA/private/cakey.pem so >> > not sure what to do to fix this any help valued i am using the file >> > at this website as my base >> > >> > >> > http://www.eclectica.ca/howto/ssl-cert-howto.php >> >> Are you using the suggested "openssl.cnf" file as template? >> >> What's the output of "ls -l /root/CA/*"? > Hi > first sorry for the HTML the output from the output of ls -l /root/CA/* > is > > -rw-r--r-- 1 root root 1419 cacert.pem > -rw-r--r-- 1 root root 0 index.txt > -rw-r--r-- 1 root root 887 key.pem > drwxr-xr-x 2 root root 4096 newcerts > -rw-r--r-- 1 root root 2110 openssl.cnf > drwxr-xr-x 2 root root 4096 private > -rw-r--r-- 1 root root 875 req.pem > -rw-r--r-- 1 root root 3 serial > > ls -l /root/CA/private* produces: > -rw-r--r-- 1 root root 963 cakey.pem > > I am using http://www.eclectica.ca/howto/ssl-cert-howto.php as my > template All seems to be correct :-? Ensure you are located at the proper directory level. I mean, as root: cd /root/CA And then run the command from there: ca -out cert.pem -config ./openssl.cnf -infiles req.pem Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2011.10.28.17.37...@gmail.com
Re: CA Issues
Paddy Tollan wrote: > first sorry for the HTML the output from the output of ls -l /root/CA/* is [...] > -rw-r--r-- 1 root root 2110 openssl.cnf It seems that your keyboard has run out of fullstops and commas. Can I please suggest that you get it filled up again, so that your writing becomes easier to understand. That's not the openssl.cnf available following instructions at http://www.eclectica.ca/howto/ssl-cert-howto.php#summy for download at ftp://ftp.binarytool.com/pub/linux/ssl/openssl.cnf. Even if you have copied and pasted, and included the (invalid) Begin/End labels, that should still be only 1932 bytes. Can you tell us how you have customised it? Cheers, Chris -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/tjtqn8x18g@news.roaima.co.uk
RE: CA Issues
Hi first sorry for the HTML the output from the output of ls -l /root/CA/* is -rw-r--r-- 1 root root 1419 cacert.pem -rw-r--r-- 1 root root 0 index.txt -rw-r--r-- 1 root root 887 key.pem drwxr-xr-x 2 root root 4096 newcerts -rw-r--r-- 1 root root 2110 openssl.cnf drwxr-xr-x 2 root root 4096 private -rw-r--r-- 1 root root 875 req.pem -rw-r--r-- 1 root root 3 serial ls -l /root/CA/private* produces: -rw-r--r-- 1 root root 963 cakey.pem I am using http://www.eclectica.ca/howto/ssl-cert-howto.php as my template > > To: debian-user@lists.debian.org > From: noela...@gmail.com > Subject: Re: CA Issues > Date: Thu, 27 Oct 2011 15:13:37 + > > On Thu, 27 Oct 2011 09:33:46 +, Paddy Tollan wrote: > > (please, avoid using html formatted messages) > > > Hi I am trying to generate a self signed CA certificate for a debian > > mail server I am able to start the process but when it comes to signing > > the certificate eg running the command openssl ca -out cert.pem -config > > ./openssl.cnf -infiles req.pem > > > > I get the error msg "error opening CA private key CA/private/cakey.pem > > no such file or directory error opening private key the directory and > > file is there at /root/CA/private/cakey.pem so not sure what to do to > > fix this any help valued i am using the file at this website as my base > > > > > > http://www.eclectica.ca/howto/ssl-cert-howto.php > > Are you using the suggested "openssl.cnf" file as template? > > What's the output of "ls -l /root/CA/*"? > > Greetings, > > -- > Camaleón > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/pan.2011.10.27.15.13...@gmail.com > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/snt142-w3112d032ba3f2cb236cfc3ab...@phx.gbl
Re: CA Issues
On Thu, 27 Oct 2011 09:33:46 +, Paddy Tollan wrote: (please, avoid using html formatted messages) > Hi I am trying to generate a self signed CA certificate for a debian > mail server I am able to start the process but when it comes to signing > the certificate eg running the command openssl ca -out cert.pem -config > ./openssl.cnf -infiles req.pem > > I get the error msg "error opening CA private key CA/private/cakey.pem > no such file or directory error opening private key the directory and > file is there at /root/CA/private/cakey.pem so not sure what to do to > fix this any help valued i am using the file at this website as my base > > > http://www.eclectica.ca/howto/ssl-cert-howto.php Are you using the suggested "openssl.cnf" file as template? What's the output of "ls -l /root/CA/*"? Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2011.10.27.15.13...@gmail.com