Hello: I'm trying to use the "openssl ca" command inside a mod_perl handler (I borrowed Perl code from http://www.pseudonym.org/ssl/) to sign netscape spkacs, and I'm running into a very funky problem.
The docs say that the signed cert wil come out in PEM form. As I understand it, PEM certs look like -----BEGIN CERTIFICATE----- <some lines of Base-64 encoded stuff> -----END CERTIFICATE----- and what I get coming out is soemthing very different. When I try to download it to a netscape browser using a mime type of 'application/x-x509-user-cert', Netscape won't load it. My environment is Debian Potato dist with Linux kernel 2.4.9 openssl 0.9.6b The command I use is /usr/local/bin/openssl ca -batch \ -config /var/ssl/PhysempCA/request.cnf \ -out /var/ssl/PhysempCA/newcerts/72ff92dd0ca7e7a8309435072ed478.pem \ -spkac /var/ssl/PhysempCA/newcerts/72ff92dd0ca7e7a8309435072ed478.spkac The output to STDOUT is : Using configuration from /var/ssl/PhysempCA/request.cnf Check that the SPKAC request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'US' localityName :PRINTABLE:'Mexico' organizationName :PRINTABLE:'Audrain Medical Center' commonName :PRINTABLE:'Michele Trammell' emailAddress :IA5STRING:'[EMAIL PROTECTED]' Certificate is to be certified until Oct 17 18:47:20 2002 GMT (366 days) Write out database with 1 new entries Data Base Updated Here is the SPKAC (inserted newlines for readability): SPKAC=MIIBOjCBpDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwpvydCd+jgvlAkbVa TI+OAhaTLunUKN0ov5pvSm+TS0RxvbqhO2olCTp7dV9urim10EE2dUe/JuTo9tlUblgjVO5 m2ZAA35fKYXyEQhFQdkAvErXS2GMF0PxHUUAXEMGHuureCjSw8xzR4RaytmEPS0HFslbIHM FC8fdBnNN/8kCAwEAARYAMA0GCSqGSIb3DQEBBAUAA4GBADIDIjM2gVP0Go/OhpnYA6XgNE HMkXX//YX01VrY+vu9oaBxohSSMfismi9nUoPZ00EYh4uQa08jf+tUCrAYvGmGED1e5Y4/F WQ3SsHzfMqxkaNilln2xEKYlFWrB984/u/fkLpCqjanqxokINbgUAcpDzIlDgdhs35Z2/RM X47D C=US SP=Missouri L=Mexico O=Audrain Medical Center CN=Michele Trammell [EMAIL PROTECTED] And here is my config file: [ ca ] default_ca = PhysempCA # The default ca section [ PhysempCA ] dir = /var/ssl/PhysempCA certs = /var/ssl/PhysempCA/certs crl_dir = /var/ssl/PhysempCA/crl database = /var/ssl/PhysempCA/index.txt new_certs_dir = /var/ssl/PhysempCA/newcerts certificate = /var/ssl/PhysempCA/cacert.pem serial = /var/ssl/PhysempCA/serial crl = /var/ssl/PhysempCA/crl.pem private_key = /var/ssl/PhysempCA/private/cakey.pem.decoded RANDFILE = /var/ssl/PhysempCA/private/.rand x509_extensions = usr_cert default_days = 366 default_md = md5 preserve = no policy = policy_anything [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = optional emailAddress = optional [ req ] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes prompt = no string_mask = nombstr req_extensions = v3_req [ req_distinguished_name ] countryName_default = US stateOrProvinceName_default = Missouri localityName_default = Mexico organizationName_default = Audrain Medical Center commonName_default = Michele Trammell emailAddress_default = [EMAIL PROTECTED] [ req_attributes ] challengePassword = unstructuredName = Michele Trammell [ usr_cert ] basicConstraints = CA:FALSE nsCertType = client, email keyUsage = nonRepudiation, digitalSignature, keyEncipherment nsComment = "OpenSSL Generated Certificate Issued by Physician's Employment CA" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always subjectAltName = email:copy issuerAltName = issuer:copy [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment If any one needs to see the resulting cert, I'd be more than happy to email it as an attachment. --Christopher ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]