Why don't you use the ca command? On Tue, Aug 18, 2009 at 9:38 AM, Gerald Iakobinyi-Pich <nutri...@gmail.com>wrote:
> Hello, > > So I have played arround a little bit more yesterday, but with the same > result. > Attached are the the openssl.cnf I am using. The problem is the same, I do > not know how to override the subject information from the config file > (specified in the "req_distinguished_name" section), from the command line. > > And this is what I execute from the cmd line: > > openssl genrsa -des3 -out ..\demo_store\private\private_key_client.pem > -passout pass:pass 1024 > > openssl req -config .\openssl.cnf -subj > "/C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate" -new -days 365 > -key ..\demo_store\private\private_key_client.pem -outform PEM -out > ..\demo_store\request\req_server.csr -passin pass:pass > > openssl x509 -inform PEM -req -in ..\demo_store\request\req_server.csr > -outform DER -out ..\demo_store\certs\cert_server.der -CAform DER -CA > ..\demo_store\certs\ca_cert.der -CAkeyform PEM -CAkey > ..\demo_store\private\ca_private_key.pem -CAcreateserial > > > Regards, > Gerald > > > On Mon, Aug 17, 2009 at 7:20 PM, Serge Fonville > <serge.fonvi...@gmail.com>wrote: > >> What does your openssl.cnf look like, since it is used in the req? >> >> >> On Mon, Aug 17, 2009 at 6:00 PM, Gerald Iakobinyi-Pich < >> nutri...@gmail.com> wrote: >> >>> Hy, >>> >>> So my end goal is to have a CA, which I can use to sign certificates. I >>> have set up a CA, that was not that hard. But now I want to create >>> certificates signed by my CA, and I want to provide the subject from the >>> command line. I don't want it to be read from the openssl.cnf. That is >>> because I have to create more certificates, and I do not want to modify the >>> opennssl.cnf, for each of them. >>> >>> I have tried to create certificates, signed by my CA, and the subject >>> information was provided in the openssl.cnf file. That I have succeeded. >>> >>> Then I have tried to provide the subject information from the command >>> line, and that I have failed. And I have verified the contents of the >>> certificate, and the subject was not what I have specified in the command >>> line, but what was found in the config file. >>> >>> So it looks to me like if this option: -subj >>> "/C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate" is ignored, and >>> like openssl tries to read this info from the config file, and I do not >>> understand why :(. >>> >>> >>> Regards, >>> Gerald >>> >>> >>> >>> On Mon, Aug 17, 2009 at 6:31 PM, Serge Fonville < >>> serge.fonvi...@gmail.com> wrote: >>> >>>> Hi, >>>> >>>> I assume you have done a lot of googling and have read the docs >>>> extensively. >>>> >>>> First, what is your end goal? >>>> Since creating a certificate and having it signed by your own CA is not >>>> that difficult. >>>> What resources have you consulted. >>>> What have you already tried. >>>> Have you looked at the resulting certificate to verify its contents >>>> >>>> Regards, >>>> >>>> Serge Fonville >>>> >>>> On Mon, Aug 17, 2009 at 4:41 PM, Gerald Iakobinyi-Pich < >>>> nutri...@gmail.com> wrote: >>>> >>>>> Hello, >>>>> >>>>> I am trying to create a certificate, on win, and I am having some >>>>> troubles with OpenSSL. First I generate a key. That's ok. Then I create a >>>>> request: >>>>> >>>>> openssl req -config .\openssl.cnf -subj >>>>> "/C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate" -new -days >>>>> 365 >>>>> -key ..\demo_store\private\private_key_client.pem -outform PEM -out >>>>> ..\demo_store\request\req_server.csr -passin pass:pass >>>>> >>>>> Then I want to sign this: >>>>> openssl x509 -inform PEM -req -in ..\demo_store\request\req_server.csr >>>>> -outform DER -out ..\demo_store\certs\cert_server.der -CAform DER -CA >>>>> ..\demo_store\certs\ca_cert.der -CAkeyform PEM -CAkey >>>>> ..\demo_store\private\ca_private_key.pem -CAcreateserial >>>>> >>>>> And the message printed out is: >>>>> Loading 'screen' into random state - done >>>>> Signature ok >>>>> subject=/C=RO >>>>> Getting CA Private Key >>>>> >>>>> >>>>> Now, what disturbs me, is that it seems that the subject I have >>>>> provided with "-subj" in the first "openssl req" command has been ignored. >>>>> Why is that happening? What am I doing wrong? >>>>> >>>>> Thanks, >>>>> Gerald >>>>> >>>>> >>>>> >>>> >>> >> >
