Re: Unabe to create multiple certificates from a single self-signed CA.
Hi Mick, I want to create 5 certificates from a single self-signed CA. I 've been able to create 3 certificates as of now. However, only the first certificate of mine is working with the root certificate, the other 2 are not working. Could you please explain what do you mean by not working? The certificate sent in the message to the phone is not getting accepted by the phone. The phone must respond to the certificate message if it has received the certificate. In the case with the first working certificate the phone responds to this message and hence is a proof that the first certificate is correct. So the problem is with the 2nd and 3rd certificate. The later 2 certificates are created from the same CA.crt and CA.key as were used to create the first certificate. The differences that lie with all the 3 certificates are as below: 1. Common Name 2. Subject and DNS name in the SubjectAltName 3. Serial Number of the certificates. (with number 2 and 3 choosen for the later created 2 certificates) Frankly. I do not how to create multiple certifiacates from a single self-signed CA. Please some one guide me in this. Also, my CA.crt and CA.key have already been flashed to the device, so I do not have any option of re-creating the CA.crt and CA.key. I saw some where on a post that separate CA.keys need to be developed as well for creating multiple certificates. Is this true? Not as far as I know - what you need is separate user keys. You generate a new user key and you use this to sign a csr, e.g.: $ openssl genrsa -des3 -out user2_key.pem 2048 $ openssl req -new -key user2_key.pem -out user2_req.pem Infact, I did exactly the same with the same commands. I generated the new user keys and the new csrs for the 2nd and 3rd certificate. Then you use your CA.crt and your CA.key to sign the user2_cert.csr with: $ openssl x509 -req -in user2_req.pem -days 365 -CA CA.crt -CAkey \ CA.key -set_serial 01 -out user2_cert.pem That should create a new SSL certificate, signed by your CA, valid for one year, for user2. Repeat for user3 to user5. Of course, there's more than one ways to skin a cat - the above is just one of them. It depends how many certs you will be creating over time; setting up a /etc/ssl/openssl.cnf file with your default settings will help automate the process and minimise the option entries on the command line. -- Regards, Mick Did exactly the same. Would you like to have a look of the certificates to find out what exactly is missing? Regards, Rajat
Unabe to create multiple certificates from a single self-signed CA.
Hi Folks ! I want to create 5 certificates from a single self-signed CA. I 've been able to create 3 certificates as of now. However, only the first certificate of mine is working with the root certificate, the other 2 are not working. The later 2 certificates are created from the same CA.crt and CA.key as were used to create the first certificate. The differences that lie with all the 3 certificates are as below: 1. Common Name 2. Subject and DNS name in the SubjectAltName 3. Serial Number of the certificates. (with number 2 and 3 choosen for the later created 2 certificates) Frankly. I do not how to create multiple certifiacates from a single self-signed CA. Please some one guide me in this. Also, my CA.crt and CA.key have already been flashed to the device, so I do not have any option of re-creating the CA.crt and CA.key. I saw some where on a post that separate CA.keys need to be developed as well for creating multiple certificates. Is this true? If Yes, do I need to create the new CA.key for every new certificate to be certified by this single CA, keepig in consideration that CA.crt and 1 CA.key have already been flashed to the device? Please some help and elaborate me on this. Thanks and regards, Rajat
Re: How to get rid of this message :Enter PEM pass phrase ?
1. rpm -e openssl ( to install the already installed openssl-0.9.8b) 1) reinstall openssl package that came with Fedora. unless you are going to rebuild all the packages that depend on it you will face a nightmare 2) strip off the password from your .pem file - if you really dont want to manually type in the password. there are plenty of guides about doing this - mostly for those people with openssl certs for their apache for example alan _ Hi Alan ! thanks for the suggestions and help. Rajat
How to get rid of this message :Enter PEM pass phrase ?
Hi Folks ! I am using the openssl-0.9.8b. My application racoon which is a key management software for the IPsec uses openssl to read the self-siged certificates. Every time my certificate is read, I'm asked for the pass phrase Enter the PEM pass phrase I always enter the password : abcd I want to get rid of this prompt, so I used the tar ball of this version of openssl and right before after this prompt I did a strcpy ( to the string which actually reads the user input) to avoid reading the string entered from the keyboard. But the things are not working. My application is still asking for the password. I did, after the addition of strcpy: 1. rpm -e openssl ( to install the already installed openssl-0.9.8b) 2 ./config 3 make 4 make test 5 make install Also, I'm facing the error: unable to find libopenssl.so.6 and my linux mahine ( FC6, kernel 2.6.18) is not booting properly ( the GUI doesnot appear) Please help. I know there is missing in the above 5 steps ( related to libraries) ..but not sure. Please help. --- Warm regards, Rajat