Hello,
> Like described in the Linux Samba-OpenLDAP Howto form IDEALX.com
> I performed the following steps to create a certificate for my
> server:
>
> Basedirectory /etc/openldap
>
> 1) create directory structure
> mkdir certs csr data keys private data/ca.db.certs
> ln -s data datas
>
> 2) touch private/ca.key data/ca.db.serial
> cp /dev/null data/ca.db.index
>
> 3) Generate pseudo-random bytes
> openssl rand 1024 > data/random-bits
>
> 4) create the key for the CA
> openssl genrsa -des3 -out private/ca.key 1024 -rand data/random-bits
> chmod 600 private/ca.key
>
> 5) Self-sign the root CA
> openssl req -new -x509 -days 3650 -key private/ca.key -out
> certs/ca.pem
Try to check here:
$ openssl verify -CAfile certs/ca.pem certs/ca.pem
> 6) create a configuration ca.conf file for the CA containing:
....
> default_md = md5
Change to sha1 - md5 is not secure.
> 8) create the server key and certificate for ldap.pdnet.net server
> create the key for the server ldap.pdnet.net
> openssl genrsa -out keys/ldap.pdnet.net.key 1024
>
> 9) create certificate data for ldap.pdnet.net
> openssl req -new -key keys/ldap.pdnet.net.key -out
> csr/ldap.pdnet.net.csr
>
> 10) sign the ldap.pdnet.net certificate with the CA one
> openssl ca -config ca.conf -out certs/ldap.pdnet.net.txt -infiles
> csr/ldap.pdnet.net.csr
>
> 11) extract the ldap.pdnet.net certificate
> perl -n -e ´m/BEGIN CERTIFICATE/ && do {$$seen=1}; $$seen && print;´ <
> certs/ldap.pdnet.net.txt > certs/ldap.pdnet.net.pem
Add "-notext" option to "openssl ca" to not write this text info.
> Everything went fine up to here, but when I try to verify my
> certificate I get the following error:
>
> openssl verify -CAfile certs/ca.pem certs/ldap.pdnet.net.pem
>
> Result:
> certs/ldap.pdnet.net.pem: /C=DE/ST=Baden-
> Wuerttemberg/L=Stuttgart/O=Patschull-Design/OU=IT-Service/CN=Michael
> Patschull/[EMAIL PROTECTED] error 18 at 0 depth
> lookup:self signed certificate
> /C=DE/ST=Baden-Wuerttemberg/L=Stuttgart/O=Patschull-Design/OU=IT-
> Service/CN=Michael Patschull/[EMAIL PROTECTED] error 7 at
> 0 depth lookup:certificate signature failure 4495:error:0407006A:rsa
> routines:RSA_padding_check_PKCS1_type_1:block type is not
> 01:rsa_pk1.c:100: 4495:error:04067072:rsa
> routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:632:
> 4495:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP
> lib:a_verify.c:168:
This means that after decrypting signature of ldap.pdnet.net.pem
certificate with public key from ca.pem instead of ASN.1
AlgorithmIdentifier structure we have some garbage.
Probably signature was sign (encrypted with private key) with
private key not from CA or public key in ca.pem is not from
compatible CA pair - this should be checked.
Best regards,
--
Marek Marcola <[EMAIL PROTECTED]>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
