I keep getting a error when i try this.
i generated privkey.pem by using
./openssl genrsa -out privkey.pem 2048
AND cacert.pem by using
./openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
Then I generated a CSR from my webserver (on a different domain/different
box different instalce altogether) named it mev.csr.pem
transfered that file over to the box running openssl.
./openssl x509 -req -in mev.csr.pem -CA cacert.pem -CAkey
rivkey.pem -days 1024 -out mev.cert.pem
Signature ok
subject=/C=US/ST=California/L=San Jose/O=MEV DEMO LAB
SERVER/OU=RandD/CN=www.mev.com
Getting CA Private Key
Enter PEM pass phrase:
cacert.srl: No such file or directory
2279:error:02001002:system library:fopen:No such file or
directory:bss_file.c:245:fopen('cacert.srl','r')
2279:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:247:
looks like it's looking for a file cacert.srl, but I never specified this
filename,
any insight on this
Rohan
- Original Message -
From: Charles B Cranston [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, August 19, 2003 12:21 PM
Subject: Re: Newbie question - Signing CSR's
Rohan Pinto wrote:
I wrote
What you need to do is:
1. create a root certificate
2. install that root certificate into all your web browsers
3. create a CSR on the server
4. use the root to sign that CSR into a server certificate
This is the part that i would need help on. I have created a root
certificate, I've imported that into all my web browsers and also on the
webserver. I have also crested a cSR from the webserver. I dont know how
to
sign the CSR If I could get some advise on jow to sign a CSR i
would at
leats get an understanding of the flow. From what i have understood so
far... I used the rootCA private key while signing the CSR. The
webservers
public key is sittign somewhere on the webserver. i would need to use
that
key to sign the CSR. The question is. how do i get that key?. Also I
am
confused as i believed that the webservers key would be embedded in the
CSR.
You are doing fine until you get to signing the CSR with the
webserver's public key which is sitting somewhere on the webserver.
Important theoretical points
1. The CSR IS the webserver's public key, plus some ID info
2. The CSR is made INTO the Certificate by signing with the
root's private key (not any server key nor any public key)
3. The webserver's PRIVATE key is the one sitting somewhere on
the webserver
4. The Certificate IS the webserver's public key (as obtained
from the CSR) and is SIGNED using the root's private key.
Why? So the root's public key, which EVERYBODY has access to,
can be used to VERIFY that the certificate has not been forged.
So, take the CSR from the webserver machine to the machine where
you are running OpenSSL. Sign the CSR into a certificate using
the private key from the root certificate. This can be done with
either the ca tool (or something like CA.PL which calls it) or
with the x509 tool. Take the certificate back and install it
into the webserver. The way to do this varies from webserver to
webserver but go to
http://www.ssl.com/support/installation.jsp
and look at the menu over on the right hand side. Find your
webserver software and see if they have good installation
documentation. This is a VERY well done web site.
5. install the server certificate on the server
Wish i could get some pointers on the the steps to sign a CSR thats
generated from a webserver (which resides on abcd.com domain) using
openssl that resides on (xyz.com)
on xyz.com:
ftp abcd.com
get server.csr.pem
quit
openssl x509 -req -in server.csr.pem \
-CA root.cert.pem -CAkey root.key.pem more options \
-out server.cert.pem
ftp abcd.com
put server.cert.pem
Under more options there is -CAserial to set a serial number,
maybe -sha1 to use SHA instead of MD5 as a hash, -days to set the
certificate lifetime, etc. Some of these things can be set in the
OpenSSL configuration file. I'd look at man x509.
Alternatively, signing can be done with the ca tool, but I'm
not so familiar with it. It requires an infrastructure of a data
file and a serial number file and directories of various things etc
and since I based our database on Oracle it seemed too high-level and
high-maintenance to use. Unfortunately it seems I need to use it
for my personal identity and privacy PKIs since x509 doesn't seem
to know how to process a SPKIX file.
Sorry about my somewhat fuzzy (and in some places WRONG) answer
before. I should REALLY learn not to type anything in before noon.
--
Charles B (Ben) Cranston
mailto: [EMAIL PROTECTED]
http://www.wam.umd.edu/~zben
__
OpenSSL Project http://www.openssl.org
User Support Mailing List