CA sign fails

Wed, 26 Aug 2009 05:46:22 -0700 

Hello all!
I read this thread http://www.mail-archive.com/openssl-users@openssl.org/msg51998.html having the same problem. I have to set up a certificate in order to make a secure login from my machine to the Google/Youtube Data API. I updated my version of OpenSSL to 0.9.8k and tried again, but still got the same error. 


The first two steps seem to go well, but the signing fails. Below is  
the output of my console. Please help, I´m quite desperate right now.

Thanks in Advance!
Benedikt Ries

---------------------------------------------------------------------------------------------------------------------------------------------
bruce:certs bm$ sudo /usr/local/ssl/misc/CA.sh -newca
Password:
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
.........++++++
....................++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.

What you are about to enter is what is called a Distinguished Name or  
a DN.

There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:BY
Locality Name (eg, city) []:Immenstadt
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Dreamway GmbH
Organizational Unit Name (eg, section) []:Dev
Common Name (eg, YOUR name) []:BR
Email Address []:b...@dreamway.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
unknown option -selfsign
usage: ca args

 -verbose        - Talk alot while doing things
 -config file    - A config file
 -name arg       - The particular CA definition to use
 -gencrl         - Generate a new CRL
 -crldays days   - Days is when the next CRL is due
 -crlhours hours - Hours is when the next CRL is due
 -startdate YYMMDDHHMMSSZ  - certificate validity notBefore

 -enddate YYMMDDHHMMSSZ    - certificate validity notAfter (overrides  
-days)

 -days arg       - number of days to certify the certificate for
 -md arg         - md to use, one of md2, md5, sha or sha1
 -policy arg     - The CA 'policy' to support
 -keyfile arg    - private key file
 -keyform arg    - private key file format (PEM or ENGINE)
 -key arg        - key to decode the private key if it is encrypted
 -cert file      - The CA certificate
 -in file        - The input PEM encoded certificate request(s)
 -out file       - Where to put the output file(s)
 -outdir dir     - Where to put output certificates
 -infiles ....   - The last argument, requests to process
 -spkac file     - File contains DN and signed public key and challenge
 -ss_cert file   - File contains a self signed cert to sign
 -preserveDN     - Don't re-order the DN
 -noemailDN      - Don't add the EMAIL field into certificate' subject
 -batch          - Don't ask questions

 -msie_hack      - msie modifications to handle all those universal  
strings

 -revoke file    - Revoke a certificate (given in file)
 -subj arg       - Use arg instead of request's subject
 -extensions ..  - Extension section (override value in config file)
 -extfile file   - Configuration file with X509v3 extentions to add

 -crlexts ..     - CRL extension section (override value in config  
file)

 -engine e       - use engine e, possibly a hardware device.
 -status serial  - Shows certificate status given the serial number
 -updatedb       - Updates db for expired certificates
bruce:certs bm$
bruce:certs bm$
bruce:certs bm$ sudo /usr/local/ssl/misc/CA.sh -newreq
Password:
Generating a 1024 bit RSA private key
.........................++++++
....++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.

What you are about to enter is what is called a Distinguished Name or  
a DN.

There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:BY
Locality Name (eg, city) []:Immenstadt
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Dreamway GmbH
Organizational Unit Name (eg, section) []:DEV
Common Name (eg, YOUR name) []:BR
Email Address []:b...@dreamway.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:test
An optional company name []:Dreamway GmbH
Request is in newreq.pem, private key is in newkey.pem
bruce:certs bm$ sudo /usr/local/ssl/misc/CA.sh -sign
Using configuration from /System/Library/OpenSSL/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Error opening CA certificate ./demoCA/cacert.pem

18603:error:02001002:system library:fopen:No such file or  
directory:bss_file.c:278:fopen('./demoCA/cacert.pem','r')

18603:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:280:
unable to load certificate
cat: newcert.pem: No such file or directory
Signed certificate is in newcert.pem
--------------------------------------------------------------------------------------------------------------------















    











					Reply via email to