creation of self-signed certificate fail

Tue, 03 Aug 2010 08:41:59 -0700 

 Hi,
this is how i've been creating self signed certificates in the past for TLS in smtpd: 

openssl req -days 3650 -nodes -new -x509 -keyout /etc/ssl/private/ca.key \
-out /etc/ssl/ca.crt


openssl req -days 3650 -nodes -new -keyout 
/etc/postfix/ssl/private/server.key \

-out /etc/postfix/ssl/private/server.csr

openssl x509 -req -days 3650 -in /etc/postfix/ssl/private/server.csr \
-out /etc/postfix/ssl/server.crt -CA /etc/ssl/ca.crt \
-CAkey /etc/ssl/private/ca.key -CAcreateserial


Now it doesn't work. Mail client says "bad signature", maillog says:


postfix/smtpd[1366]: warning: TLS library problem: 
1366:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad 
certificate:/usr/src/lib/libssl/src/ssl/s3_pkt.c:1062:SSL a

lert number 42:

openssl verify -CAfile /etc/ssl/ca.crt /etc/postfix/ssl/server.crt says:


/etc/postfix/ssl/server.crt: 
/C=**/ST=*****/L=*****/O=*****/OU=*****/CN=***.***.**

error 18 at 0 depth lookup:self signed certificate
/C=**/ST=*****/L=*****/O=*****/OU=*****/CN=***.***.**
error 7 at 0 depth lookup:certificate signature failure

8629:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block 
type is not 01:/usr/src/lib/libssl/src/crypto/rsa/rsa_pk1.c:100:
8629:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check 
failed:/usr/src/lib/libssl/src/crypto/rsa/rsa_eay.c:719:
8629:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP 
lib:/usr/src/lib/libssl/src/crypto/asn1/a_verify.c:173:



This way of creating self signed certificates worked for me in the past, 
i've never had this kind of problem before. I found this problem 
recently, when i had to remake certificates because of common name (host 
name) change. Same problem in openbsd 4.7 and freebsd 8.1. Even more: 
just few days back i've upgraded freebsd from 8.0 to 8.1, then i've 
successfully created those certificates in the way described above. 
Everything went fine, except for misstyped Country Name in certificate. 
I've deleted all the files i just created, then made the new ones, but 
those were already corrupted. That is creating self signed certificates 
in this way works only very first time for me, after os upgrade or fresh 
install. All further attempts are failing. Anyone has a clue..?


Thanks in advance,

Paulie
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org














    











					Reply via email to