Problem with certificate request.
Hi all, I am having problem generating a certificate request. I am installing a software called Appliance Manager on Win2k3 SP1. This is a Nokia software which installs apache server. I am unable to start the apache service and my understanding is that this is because I have not been able to generate a certificate (not even the request). The path to apache is C:\Nokia\AM1_0\apache and there is the openssl tool C:\Nokia\AM1_0\apache\bin I have been supplied with a number of batch files to help?! me request and generate a certificate but so far I have failed. These are some of the lines of the script: echo Generating the Key for BE Server %OPENSSL_HOME%\bin\openssl genrsa -rand world.png -out BEServer.key 1024 echo Generating the CSR for BE Server %OPENSSL_HOME%\bin\openssl req -new -key BEServer.key -out BEServer.csr echo Generating the Certificate for BE Server %OPENSSL_HOME%\bin\openssl x509 -req -days 3000 -in BEServer.csr -signkey BEServer.key -out BEServer.cer I have created the OPENSSL_HOME variable and this should be right as it is generating the key, this is what I get from running the batch: C:\Nokia\AM1_0\binBECert.bat Generating the Key for BE Server Loading 'screen' into random state - done 0 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus ..++ ++ e is 65537 (0x10001) Generating the CSR for BE Server Unable to load config info unable to find 'distinguished_name' in config problems making Certificate Request 3176:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or envi ronment variable:.\crypto\conf\conf_lib.c:325: Generating the Certificate for BE Server Loading 'screen' into random state - done BEServer.csr: No such file or directory Copying the certificate into the destination folder 1 file(s) copied. The system cannot find the file specified. The system cannot find the file specified. Importing the BEServer certificate into truststore file keytool error: java.lang.Exception: Alias bessl does not exist keytool error: java.io.FileNotFoundException: BEServer.cer (The system cannot fi nd the file specified) If I browse to C:\\nokia\am1_0\apache\bin and run openssl wheu I type req this is what I get: OpenSSL req Unable to load config info Reading on this forum it would seem that I need to do something with the openssl.cnf file in the openssl folder but neither the file or the folder exist on my machine. Let me know if you need more info. I know it's a long shot, but any help would be appreciated. Thanks, Fu Fulvio Allegretti Network Consultant Information Systems RM plc * mailto:[EMAIL PROTECTED] ' +44 (0)1235 854766 *http://www.rm.com http://www.rm.com/ __ You might be interested in this... What's the secret of ICT success? For many schools, colleges and authorities it's not a secret anymore. Find out more now: http://www.rm.com/customersuccess/default.asp?srcurl=ICS161006PT __ Visit our Website at http://www.rm.com This message is confidential. You should not copy it or disclose its contents to anyone. You may use and apply the information for the intended purpose only. Internet communications are not secure; therefore, RM does not accept legal responsibility for the contents of this message. Any views or opinions presented are those of the author only and not of RM. If this email has come to you in error, please delete it, along with any attachments. Please note that RM may intercept incoming and outgoing email communications. Freedom of Information Act 2000 This email and any attachments may contain confidential information belonging to RM. Where the email and any attachments do contain information of a confidential nature, including without limitation information relating to trade secrets, special terms or prices these shall be deemed for the purpose of the Freedom of Information Act 2000 as information provided in confidence by RM and the disclosure of which would be prejudicial to RM's commercial interests. This email has been scanned for viruses by Trend ScanMail.
RE: Problem with certificate request.
Now solved. I had to download and install openssl and copy the openssl.cnf file from the openssl installation folder (usually c:\openssl\bin) to the nokia one (c:\nokia\am1_0\apache\bin). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fulvio Allegretti Sent: Thursday, November 16, 2006 9:01 AM To: openssl-users@openssl.org Subject: Problem with certificate request. Hi all, I am having problem generating a certificate request. I am installing a software called Appliance Manager on Win2k3 SP1. This is a Nokia software which installs apache server. I am unable to start the apache service and my understanding is that this is because I have not been able to generate a certificate (not even the request). The path to apache is C:\Nokia\AM1_0\apache and there is the openssl tool C:\Nokia\AM1_0\apache\bin I have been supplied with a number of batch files to help?! me request and generate a certificate but so far I have failed. These are some of the lines of the script: echo Generating the Key for BE Server %OPENSSL_HOME%\bin\openssl genrsa -rand world.png -out BEServer.key 1024 echo Generating the CSR for BE Server %OPENSSL_HOME%\bin\openssl req -new -key BEServer.key -out BEServer.csr echo Generating the Certificate for BE Server %OPENSSL_HOME%\bin\openssl x509 -req -days 3000 -in BEServer.csr -signkey BEServer.key -out BEServer.cer I have created the OPENSSL_HOME variable and this should be right as it is generating the key, this is what I get from running the batch: C:\Nokia\AM1_0\binBECert.bat Generating the Key for BE Server Loading 'screen' into random state - done 0 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus ..++ ++ e is 65537 (0x10001) Generating the CSR for BE Server Unable to load config info unable to find 'distinguished_name' in config problems making Certificate Request 3176:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or envi ronment variable:.\crypto\conf\conf_lib.c:325: Generating the Certificate for BE Server Loading 'screen' into random state - done BEServer.csr: No such file or directory Copying the certificate into the destination folder 1 file(s) copied. The system cannot find the file specified. The system cannot find the file specified. Importing the BEServer certificate into truststore file keytool error: java.lang.Exception: Alias bessl does not exist keytool error: java.io.FileNotFoundException: BEServer.cer (The system cannot fi nd the file specified) If I browse to C:\\nokia\am1_0\apache\bin and run openssl wheu I type req this is what I get: OpenSSL req Unable to load config info Reading on this forum it would seem that I need to do something with the openssl.cnf file in the openssl folder but neither the file or the folder exist on my machine. Let me know if you need more info. I know it's a long shot, but any help would be appreciated. Thanks, Fu __ You might be interested in this... What's the secret of ICT success? For many schools, colleges and authorities it's not a secret anymore. Find out more now: http://www.rm.com/customersuccess/default.asp?srcurl=ICS161006PT __ Visit our Website at http://www.rm.com This message is confidential. You should not copy it or disclose its contents to anyone. You may use and apply the information for the intended purpose only. Internet communications are not secure; therefore, RM does not accept legal responsibility for the contents of this message. Any views or opinions presented are those of the author only and not of RM. If this email has come to you in error, please delete it, along with any attachments. Please note that RM may intercept incoming and outgoing email communications. Freedom of Information Act 2000 This email and any attachments may contain confidential information belonging to RM. Where the email and any attachments do contain information of a confidential nature, including without limitation information relating to trade secrets, special terms or prices these shall be deemed for the purpose of the Freedom of Information Act 2000 as information provided in confidence by RM and the disclosure of which would be prejudicial to RM's commercial interests. This email has been scanned for viruses by Trend ScanMail.
Re: Problem with certificate request.
First create a CA key using the following command. openssl genrsa -des3 -out ca.key 1024 Assuming your config file is located in the openssl root directory you can create a CA cert using the following command. openssl req -config openssl.conf -new -x509 -key ca.key -out ca.cer Now you can create your server key and certificate openssl genrsa -out server.key 1024 openssl req -key server.key -out server.req -config openssl.conf openssl x509 -req -in server.req -CA ca.cer -CAkey ca.key -CAserial file.srl -out server.cer -config openssl.conf Fulvio Allegretti [EMAIL PROTECTED] wrote: Hi all, I am having problem generating a certificate request. I am installing a software called Appliance Manager on Win2k3 SP1. This is a Nokia software which installs apache server. I am unable to start the apache service and my understanding is that this is because I have not been able to generate a certificate (not even the request). The path to apache is C:\Nokia\AM1_0\apache and there is the openssl tool C:\Nokia\AM1_0\apache\bin I have been supplied with a number of batch files to help?! me request and generate a certificate but so far I have failed. These are some of the lines of the script: echo Generating the Key for BE Server %OPENSSL_HOME%\bin\openssl genrsa -rand world.png -out BEServer.key 1024 echo Generating the CSR for BE Server %OPENSSL_HOME%\bin\openssl req -new -key BEServer.key -out BEServer.csr echo Generating the Certificate for BE Server %OPENSSL_HOME%\bin\openssl x509 -req -days 3000 -in BEServer.csr -signkey BEServer.key -out BEServer.cer I have created the OPENSSL_HOME variable and this should be right as it is generating the key, this is what I get from running the batch: C:\Nokia\AM1_0\binBECert.bat Generating the Key for BE Server Loading 'screen' into random state - done 0 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus ..++ ++ e is 65537 (0x10001) Generating the CSR for BE Server Unable to load config info unable to find 'distinguished_name' in config problems making Certificate Request 3176:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or envi ronment variable:.\crypto\conf\conf_lib.c:325: Generating the Certificate for BE Server Loading 'screen' into random state - done BEServer.csr: No such file or directory Copying the certificate into the destination folder 1 file(s) copied. The system cannot find the file specified. The system cannot find the file specified. Importing the BEServer certificate into truststore file keytool error: java.lang.Exception: Alias bessl does not exist keytool error: java.io.FileNotFoundException: BEServer.cer (The system cannot fi nd the file specified) If I browse to C:\\nokia\am1_0\apache\bin and run openssl wheu I type req this is what I get: OpenSSL req Unable to load config info Reading on this forum it would seem that I need to do something with the openssl.cnf file in the openssl folder but neither the file or the folder exist on my machine. Let me know if you need more info. I know it's a long shot, but any help would be appreciated. Thanks, Fu Fulvio Allegretti Network Consultant Information Systems RM plc * mailto:[EMAIL PROTECTED] ' +44 (0)1235 854766 ühttp://www.rm.com You might be interested in this... What's the secret of ICT success? For many schools, colleges and authorities it's not a secret anymore. Find out more now... Visit our Website at www.rm.com This message is confidential. You should not copy it or disclose its contents to anyone. You may use and apply the information for the intended purpose only. Internet communications are not secure; therefore, RM does not accept legal responsibility for the contents of this message. Any views or opinions presented are those of the author only and not of RM. If this email has come to you in error, please delete it, along with any attachments. Please note that RM may intercept incoming and outgoing email communications. Freedom of Information Act 2000 This email and any attachments may contain confidential information belonging to RM. Where the email and any attachments do contain information of a confidential nature, including without limitation information relating to trade secrets, special terms or prices these shall be deemed for the purpose of the Freedom of Information Act 2000 as information provided in confidence by RM and the disclosure of which would be prejudicial to RM's commercial interests. This email has been scanned for viruses by Trend ScanMail. - Sponsored Link Mortgage rates as low as 4.625% - $150,000 loan for $579 a month. Intro-*Terms
Re: Problem with certificate request...
ohaya wrote: Hi, I'm having a problem getting one particular certificate request for a server certificate accepted by a CA. The CA is using Netscape Certificate Manager, I believe, and I'm submitting my request by pasting my request into a browser. The error that I'm getting back is: Sorry, your request has been rejected. The reason is Request Rejected - Subject Name Not Matched C=US,ST=VA,L=Testtown,O=TestCo,OU=TestDept,CN=test.foo.com I've been looking at some other (client) cert requests that I sent previously, and the only difference that I can detect is that the ones that work have the CN=... at the beginning of the Subject Name, vs. being at the end. I'm somewhat new at all of this, but would that (the location of the CN= in the Subject Name) cause the error I'm seeing? Thanks, Jim Hi, No one has responded to the above message, but, just in case anyone ever runs across this problem and is trying to work with NS CMS 6.2: I've been able to confirm that my guess above was right, and it looks like CMS will reject cert requests if the information in the SubjectName is in an order which it doesn't expect. The only way that I was able to get around this was to create a new profile that didn't include the checking for the CN=. Jim __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: problem w/certificate request to Netscape CMS
On Wed, Aug 16, 2000 at 05:10:57PM -0700, Alan E. Derhaag wrote: Is there possibly a diagnostic tool, besides the req listing option to openssl, that could indicate the validity of the certificate request? An asn.1-to-text printer and a copy of PKCS#10. Peter Gutman's "dumpasn1" is a good asn.1 printer. -- Eric Murray http://www.lne.com/ericm ericm at lne.com PGP keyid:E03F65E5 Security consulting: secure protocols, security reviews, standards, smartcards. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: problem w/certificate request to Netscape CMS
Dr S N Henson [EMAIL PROTECTED] writes: Still no success! The `openssl req -noout -text' output looks something like: ... RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b8:66:e9:4f:ca:ba:4a:34:a8:2e:e4:65:d7:40: 2d:1f:84:e6:07:c0:4c:d6:57:44:8e:89:4e:9c:bb: 79:b2:5f:01:60:01:d9:6c:64:16:2d:99:c6:a2:5e: ef:1d:cb:32:fc:71:5b:69:cf:4a:e0:90:90:8f:d5: 8b:dd:9a:fd:b7:5f:43:fa:b4:fb:03:30:f8:f7:86: 0a:9e:f7:e9:aa:d1:a8:35:d1:e3:42:d4:a8:50:0e: 37:be:a0:96:52:f1:a7:c9:08:15:a3:ba:a6:ec:ef: d9:09:cb:68:5b:62:c5:c8:97:14:db:18:95:90:1a: 00:c1:65:fc:d9:41:e0:98:d3 Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: md5WithRSAEncryption ... which I believe is valid (a length of zero) but I don't know what the `a0' indicates (set of?). Yeah. Thats described in the manual page. Hmmm, are there any blank lines or extra stuff around the BEGIN and END lines? Also try a 512 bit key just in case. Ahh.. I remedied the biggest problem. The certificate request did verify as good but the problem was that I was supplying the request to the Netscape Certificate Manager as a Netscape type certificate request (KEYGEN = subjectKeyGenInfo form field). When I changed it to be an MSIE request (pkcs10Request form field) the certificate was returned instead of the invalid format error return. Thanks to all for your help and being the effective sounding board... -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Alan E. Derhaag N2H2, Creators of Bess and Searchopolis phone: 206-336-2972 900 Fourth Avenue, Suite 3600 email: [EMAIL PROTECTED],[EMAIL PROTECTED] Seattle, WA 98164 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]