hi can you help with this, here is a copy of the .cnf file [ ca ] default_ca = CA_diy # The default ca section used by # the openssl ca command [ CA_diy ] dir = /usr/local/ssl/ca_diy # Should be an empty dir dedicated to # this CA certs = $dir/certs crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/cert serial = $dir/serial crl = $dir/crl.pem private_key = $dir/private/key RANDFILE = $dir/private/.rand x509_extensions = usr_cert default_days = 365 default_crl_days= 30 default_md = md5 preserve = no policy = policy_anything
[EMAIL PROTECTED] ca_diy]# pwd /usr/local/ssl/ca_diy [EMAIL PROTECTED] ca_diy]# ls cert cert.req certs crl index.txt newcerts output private serial [EMAIL PROTECTED] ca_diy]# openssl ca -in certs/binc.req -out certs/binc.certpwd -name CA_diy Using configuration from /usr/share/ssl/openssl.cnf variable lookup failed for CA_diy::private_key 18651:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:329:group=CA_diy name=private_key [EMAIL PROTECTED] ca_diy]# ----- Original Message ----- From: "Peter Stuge" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Saturday, June 11, 2005 10:53 AM Subject: Re: [binc] Fw: SSL certs > On Sat, Jun 11, 2005 at 10:30:38AM +0200, Grant Fletcher wrote: > > [EMAIL PROTECTED] bincimap]# openssl ca -in cert/binc.req -out > > cert/binc.cert > > Using configuration from /usr/share/ssl/openssl.cnf > > Error opening CA private key ./demoCA/private/cakey.pem > > 16366:error:02001002:system library:fopen:No such file or directory:bss_file.c:259:fopen('./demoCA/private/cakey.pem','r') > > 16366:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:261: > > unable to load CA private key > > [EMAIL PROTECTED] bincimap]# > > > > can you help! > > I think so. > > OpenSSL doesn't seem to know that you want to use your new CA > definition by default. > > If you followed my example on LWBI, make sure you change/add > > [ ca ] > default_ca = CA_diy > > in openssl.cnf. Perhaps I should clarify that the [ ca ] section > most likely already exists in the file, and that if you add another > one after the first one, it will not override the first one. (Or if > it's the other way around.) > > Alternatively, you can add the option -name CA_diy to each openssl ca > command. > > > //Peter > >
