> Hi Peter, thanks for your reply,
>
> this is what my .cnf file looks like:
>
> are you saying that i should not have [ca] and [ca_path] sections in the
> file,and rather only [ca_path]
>
>
> [ ca ]
> default_ca = CA_path # The default ca section
>
> ####################################################################
> [ CA_path ]
>
> dir = /usr/local/ssl/ca_path # Where everything
> is kept
> certs = $dir/certs # Where the issued certs are kept
> crl_dir = $dir/crl # Where the issued crl are kept
> database = $dir/index.txt # database index file.
> #unique_subject = no # Set to 'no' to allow creation of
> # several ctificates with same
> subject.
> new_certs_dir = $dir/newcerts # default place for new certs.
>
> certificate = $dir/cert # The CA certificate
> serial = $dir/serial # The current serial number
> #crlnumber = $dir/crlnumber # the current crl number must be
> # commented out to leave a V1 CRL
> crl = $dir/crl.pem # The current CRL
> private_key = $dir/private/cakey.pem # The private key
> RANDFILE = $dir/private/.rand # private random number file
>
> x509_extensions = usr_cert # The extentions to add to the
cert
>
> # Comment out the following two lines for the "traditional"
> # (and highly broken) format.
> name_opt = ca_default # Subject Name options
> cert_opt = ca_default # Certificate field options
>
> # Extension copying option: use with caution.
> # copy_extensions = copy
>
> # Extensions to add to a CRL. Note: Netscape communicator chokes on V2
CRLs
> # so this is commented out by default to leave a V1 CRL.
> # crlnumber must also be commented out to leave a V1 CRL.
> # crl_extensions = crl_ext
>
> default_days = 365 # how long to certify for
> default_crl_days= 30 # how long before next CRL
> default_md = md5 # which md to use.
> preserve = no # keep passed DN ordering
>
>
> vi
>
> ----- Original Message -----
> From: "Peter Stuge" <[EMAIL PROTECTED]>
> To: <[email protected]>
> Sent: Saturday, June 11, 2005 10:53 AM
> Subject: Re: [binc] Fw: SSL certs
>
>
> > On Sat, Jun 11, 2005 at 10:30:38AM +0200, Grant Fletcher wrote:
> > > [EMAIL PROTECTED] bincimap]# openssl ca -in cert/binc.req -out
> > > cert/binc.cert
> > > Using configuration from /usr/share/ssl/openssl.cnf
> > > Error opening CA private key ./demoCA/private/cakey.pem
> > > 16366:error:02001002:system library:fopen:No such file or
> directory:bss_file.c:259:fopen('./demoCA/private/cakey.pem','r')
> > > 16366:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:261:
> > > unable to load CA private key
> > > [EMAIL PROTECTED] bincimap]#
> > >
> > > can you help!
> >
> > I think so.
> >
> > OpenSSL doesn't seem to know that you want to use your new CA
> > definition by default.
> >
> > If you followed my example on LWBI, make sure you change/add
> >
> > [ ca ]
> > default_ca = CA_diy
> >
> > in openssl.cnf. Perhaps I should clarify that the [ ca ] section
> > most likely already exists in the file, and that if you add another
> > one after the first one, it will not override the first one. (Or if
> > it's the other way around.)
> >
> > Alternatively, you can add the option -name CA_diy to each openssl ca
> > command.
> >
> >
> > //Peter
> >
> >
>
