a private ca question
guys: i ahve a question regarding how to implement /use a private ca with openssl. the follow is what i have done: 1. generate ca private key and ca certificate $ openssl genrsa -out cakey.pem 1024 $ openssl req -new -key cakey.pem -out cacert_req.pem $ openssl x509 -req -days 300 -in cacert_req.pem -signkey cakey.pem -out cacert.pem my intention here is to get the ca private key (cakey.pem) and ca certificate (cacert.pem). i am assuming ca certificate is self signed 2. generate ssl private ket and sign its corresponding public key with ca's private key $ openssl genrsa -out ssl_key.pem 1024 $ openssl req -new -key ssl_key.pem -out sslcert_req.pem $ openssl x509 -req -days 200 -in sslcert_req.pem -signkey cakey.pem -out ssl_cert.pem my intention here is to get the rsa private key (ssl_key.pem) and its corresponding certificate signed by ca (ssl_cert.pem) however, when i tried to use these three keys (ssl_key.pem, ssl_cert.pem, cacert.pem) to start a ssl server. i got the following error: $ openssl s_server -accept 1500 -cert ssl_cert.pem -key ssl_key.pem -CAfile cacert.pem -debug -state Using default temp DH parameters unable to get private key from ssl_key.pem 14841:error:0B080074:x509:certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:279: obviously, i did something wrong in the process. is the way i create/use private ca wrong? anybody here has quick ideas what is going on? thanks in advance. chong peng __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: a private ca question
Hey there: I think you can simplify the process (see inline) : On Monday 27 November 2006 21:15, Chong Peng wrote: guys: i ahve a question regarding how to implement /use a private ca with openssl. the follow is what i have done: 1. generate ca private key and ca certificate $ openssl genrsa -out cakey.pem 1024 $ openssl req -new -key cakey.pem -out cacert_req.pem $ openssl x509 -req -days 300 -in cacert_req.pem -signkey cakey.pem -out cacert.pem Could become: openssl -req -new -x509 -keyout cakey.pem -newkey rsa:1024 \ -out cacert.pem -days 300 and then: my intention here is to get the ca private key (cakey.pem) and ca certificate (cacert.pem). i am assuming ca certificate is self signed 2. generate ssl private ket and sign its corresponding public key with ca's private key $ openssl genrsa -out ssl_key.pem 1024 $ openssl req -new -key ssl_key.pem -out sslcert_req.pem $ openssl x509 -req -days 200 -in sslcert_req.pem -signkey cakey.pem -out ssl_cert.pem becomes: # Generate the key and request. openssl req -new -keyout ssl_key.pem -newkey rsa:1024 -out ssl_req.pem # Sign the keys... openssl ca -config openssl.cnf -keyfile cakey.pem -in ssl_req \ -out ssl_cert.pem -days 200 Just make sure that your openssl.cnf is properly configured (you'll want to make sure that you have the extensions set such that your server will accept them). The CA.pl script that comes with OpenSSL actually does most of this for you, as long as you configure your openssl.cnf file properly. Have fun! -- Patrick Patterson President and Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]