On Tue, May 11, 2010, asc123 wrote:
>
> I'm getting a segv when trying to run CA.pl/.sh to create a rootCA:
>
> Please enter the following 'extra' attributes
> to be sent with your certificate request
> A challenge password []:
> An optional company name []:
> unknown option -create_serial
> usage: ca args
>
> -verbose - Talk alot while doing things
> -config file - A config file
> -name arg - The particular CA definition to use
> -gencrl - Generate a new CRL
> -crldays days - Days is when the next CRL is due
> -crlhours hours - Hours is when the next CRL is due
> -startdate YYMMDDHHMMSSZ - certificate validity notBefore
> -enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days)
> -days arg - number of days to certify the certificate for
> -md arg - md to use, one of md2, md5, sha or sha1
> -policy arg - The CA 'policy' to support
> -keyfile arg - private key file
> -keyform arg - private key file format (PEM or ENGINE)
> -key arg - key to decode the private key if it is encrypted
> -cert file - The CA certificate
> -in file - The input PEM encoded certificate request(s)
> -out file - Where to put the output file(s)
> -outdir dir - Where to put output certificates
> -infiles .... - The last argument, requests to process
> -spkac file - File contains DN and signed public key and challenge
> -ss_cert file - File contains a self signed cert to sign
> -preserveDN - Don't re-order the DN
> -noemailDN - Don't add the EMAIL field into certificate' subject
> -batch - Don't ask questions
> -msie_hack - msie modifications to handle all those universal strings
> -revoke file - Revoke a certificate (given in file)
> -subj arg - Use arg instead of request's subject
> -extensions .. - Extension section (override value in config file)
> -extfile file - Configuration file with X509v3 extentions to add
> -crlexts .. - CRL extension section (override value in config file)
> -engine e - use engine e, possibly a hardware device.
> -status serial - Shows certificate status given the serial number
> -updatedb - Updates db for expired certificates
> ./CA.sh: line 197: 10495 Segmentation fault $CA -create_serial -out
> ${CATOP}/$CACERT $CADAYS -batch -keyfile ${CATOP}/private/$CAKEY -selfsign
> -extensions v3_ca -infiles ${CATOP}/$CAREQ
>
> I tried removing the -create_serial option and then it complains about the
> -selfsign option. Removed that too - but it just errors out, never creating
> my root ca cert.
>
> Any one encountered this before? Happens with openssl 0.9.8m/1.0.0 on suse
> linux 9.
>
> Thanks in advance!
>
The CA.pl script from OpenSSL 1.0.0 is using the openssl utility from 0.9.8
and failing due to unimplemented options. I'd suggest you either use he 0.9.8
CA.pl or ammend your path so the 1.0.0 openssl utility is used.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
