I've switched over to a Linux system running OpenSSL
0.9.7a Feb 19 2003, and copied the CA.pl from Solaris,
now everything works fine.
Going back to my original question, I need to create a
root CA, then create a server CA (signed with the root
CA), then create a server certificate (signed with the
server CA).
Just like the examples in "Programming with SSL",
pages 125 and 125.
Then I will need to revoke the server CA and create a
crl.
So my question is, given that CA.pl creates a root CA,
how do I create the server CA? Then create a server
certificate signed with the server CA?
-David
--- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote:
> On Wed, Nov 09, 2005, david kine wrote:
>
> > I'm attempting to use CA.pl on a Solaris 10 Sparc
> > system. OpenSSL is provided on the distribution
> CD's
> > (OpenSSL 0.9.7d 17 Mar 2004). I use the following
> > commands:
> >
> > 1. CA.pl -newca
> > 2. CA.pl -newreq
> > 3. CA.pl -signreq {problems at this step}
> >
> > During the signreq, the program cannot open the CA
> > private key and produces a core file:
> >
> > ---------
> >
> > Using configuration from
> /etc/sfw/openssl/openssl.cnf
> > Error opening CA private key
> > /etc/sfw/openssl/private/cakey.pem
> > 20715:error:0E06D06C:configuration file
> > routines:NCONF_get_string:no
> >
>
value:/on10/builds/on10_74l3/usr/src/common/openssl/crypto/conf/conf_lib.c:329:group=CA_default
> > name=unique_subject
> > 20715:error:0200100D:system
> library:fopen:Permission
> >
>
denied:/on10/builds/on10_74l3/usr/src/common/openssl/crypto/bio/bss_file.c:276:fopen('/etc/sfw/openssl/private/cakey.pem','r')
> > 20715:error:20074002:BIO routines:FILE_CTRL:system
> >
>
lib:/on10/builds/on10_74l3/usr/src/common/openssl/crypto/bio/bss_file.c:278:
> > unable to load CA private key
> > Signed certificate is in newcert.pem
> >
> > ------
> >
> > The file "newcert.pem" is not created.
> >
> > The CA private key apparently is contained in
> > "./demoCA/private/cakey.pem".
> >
> > Should I use a custom openssl.cnf to fix this
> problem?
> > Or modify CA.pl?
> >
>
> Looks like they've modified openssl.cnf already but
> haven't changed CA.pl to
> suit.
>
> You could try a standard openssl.cnf (e.g. from a
> standard distribution on
> www.openssl.org) and using the OPENSSL_CONF
> environment variable to point to it.
>
> Alternatively try compiling up a more recent version
> of OpenSSL and using
> that.
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys:
> see homepage
> OpenSSL project core developer and freelance
> consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
>
__________________________________
Yahoo! FareChase: Search multiple travel sites in one click.
http://farechase.yahoo.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
