I've never used keygen.tcl to generate keypairs nor have a used a key/cert
that is known to work with nsssl. Instead, use openssl directly to generate
a self-signed cert:
openssl req -x509 -newkey rsa:1024 -keyout key.pem -out cert.pem
Then take off the passphrase from the key:
openssl rsa -in key.pem -out key2.pem
Place the key and cert in the right places, check your nsd.tcl config, then
run aolserver. If the key or cert don't load, then take my demo key and cert
from the nsopenssl distribution and try those. If those don't work, then we
need to chat.
Here are some of the other common OpenSSL commands for your reference:
Ciphers:
Show me all the ciphers available in OpenSSL:
openssl ciphers -v
Keys:
Generate a private key
openssl genrsa -out key.pem 1024 -rand
Create random state
head -25 * > rand.dat
ssleay md5 * > rand.dat
Generate a Private Key Protected with Passphrase
openssl genrsa -rand rand.dat -des 1024 > key.pem
OR
openssl genrsa -rand rand.dat -des3 1024 > key.pem
Remove a Passphrase from a Private Key
openssl rsa -in key1.pem -out key2.pem
Add a Passphrase to a Private Key
openssl rsa -des -in key1.pem -out key2.pem
OR
openssl rsa -des3 -in key1.pem -out key2.pem
Examine a Private Key
openssl rsa -noout -text -in keyfile.pem
Convert a Private Key from PEM to BER
Certificates:
Examine a Certificate
openssl x509 -noout -text -in certfile.pem
Generate a Certificate Signing Request
openssl req -new -key key.pem -out csr.pem
Generate a Dummy self-signed Certificate
openssl req -new -x509 -key key.pem -out dummycert.pem
Convert a certificate from PEM to DER format:
openssl x509 -in cert.pem -inform PEM -out cert.der -outform
DER
Generate a new private key and self-signed cert
openssl req -x509 -newkey rsa:1024 -keyout key.pem -out
cert.pem
Generate a CSR from an already-generated private key
openssl req -new -key key.pem -out req.pem -newhdr
Generate a new self-signed cert
openssl req -x509 -key key.pem -out cert.pem
/s.
-----Original Message-----
From: David V Rodriguez [mailto:[EMAIL PROTECTED]]
Sent: Saturday, April 13, 2002 4:52 PM
To: [EMAIL PROTECTED]
Subject: [AOLSERVER] Trouble getting new certificate working
I'm having trouble getting a new SSL certificate installed. I created
the request with the same keygen.tcl file used to generate the
request for this service a year ago, but SSL is failing with the new
certificate/key combination. I get these two lines in the error log
for every request:
Debug: nsssl: failed to decrypt secret session key
Error: nsssl: ssl connection failed, bsafe error 524
I'm sure I'm using the 128-bit SSL module because the server log
contains
Notice: nsssl: initialized with 128-bit domestic encryption
I tried using nsopenssl, but can't even get the server to start
with the new or old certificates. It dies with:
Error: nsopenssl: error loading private key file
"/web/tufte/oldkeys/keyfile.pem"
Things I've tried: (1) reinstalling the latest version of openssl,
(2) rebuilding nsopenssl 1.1c, (3) experimenting with file permissions
(644 and 600), (4) ensuring the keyfile doesn't have a passphrase in
it, and (5) ensuring that the files are really where AOLserver thinks
they are. None of these have worked.
Does anyone have experience in fixing either of these problems --
either (1) getting rid of "bsafe error 524" or (2) getting certificates
created for a keygen.tcl/nsssl request working with nsopenssl?
David
