>From the logs I see, I can deduce that openssl expects to find the key file at:
./etc/ssl/private/strongswanKey.pem which according to the bash prompt, is: /etc/ipsec.d/cacerts/etc/ssl/private/strongswanKey.pem That doesn't look like the normal way of doing things, so I am assuming it is wrong. I am guessing that you need to set dir like this (absolute path): dir = /etc/ssl You had it set as : ./etc/dir, which is relative to the current working directory (probably not what you intended). Regards, Dimitrios Siganos Sushil Chaudhari wrote: > Hi Everyone, > > I am trying to sign the user certificate from the certification authority bus > getting the following error: > > r...@sushil:/etc/ipsec.d/cacerts# openssl ca -in moonReq.pem -days 730 -out > moonCert.pem -notext > Using configuration from /usr/lib/ssl/openssl.cnf > Error opening CA private key ./etc/ssl/private/strongswanKey.pem > 17427:error:02001002:system library:fopen:No such file or > directory:bss_file.c:352:fopen('./etc/ssl/private/strongswanKey.pem','r') > 17427:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354: > unable to load CA private key > > > My openssl.cnf is as follows: > # > # OpenSSL example configuration file. > # This is mostly being used for generation of certificate requests. > # > > # This definition stops the following lines choking if HOME isn't > # defined. > HOME = . > RANDFILE = $ENV::HOME/.rnd > > # Extra OBJECT IDENTIFIER info: > #oid_file = $ENV::HOME/.oid > oid_section = new_oids > > # To use this configuration file with the "-extfile" option of the > # "openssl x509" utility, name here the section containing the > # X.509v3 extensions to use: > # extensions = > # (Alternatively, use a configuration file that has only > # X.509v3 extensions in its main [= default] section.) > > [ new_oids ] > > # We can add new OIDs in here for use by 'ca' and 'req'. > # Add a simple OID like this: > # testoid1=1.2.3.4 > # Or use config file substitution like this: > # testoid2=${testoid1}.5.6 > > #################################################################### > [ ca ] > default_ca = CA_default # The default ca section > > #################################################################### > [ CA_default ] > > #dir = ./demoCA # Where everything is kept > dir = ./etc/ssl > certs = $dir/certs # Where the issued certs are kept > crl_dir = $dir/crl # Where the issued crl are kept > database = $dir/index.txt # database index file. > #unique_subject = no # Set to 'no' to allow creation > of > # several ctificates with same subject. > new_certs_dir = $dir/newcerts # default place for new certs. > > #certificate = $dir/cacert.pem # The CA certificate > certificate = $dir/strongswanCert.pem > serial = $dir/serial # The current serial number > crlnumber = $dir/crlnumber # the current crl number > # must be commented out to leave a V1 > CRL > crl = $dir/crl.pem # The current CRL > #private_key = $dir/private/cakey.pem# The private key > private_key = $dir/private/strongswanKey.pem > RANDFILE = $dir/private/.rand # private random number file > > x509_extensions = usr_cert # The extentions to add to the > cert > > # Comment out the following two lines for the "traditional" > # (and highly broken) format. > name_opt = ca_default # Subject Name options > cert_opt = ca_default # Certificate field options > > # Extension copying option: use with caution. > # copy_extensions = copy > > # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs > # so this is commented out by default to leave a V1 CRL. > # crlnumber must also be commented out to leave a V1 CRL. > # crl_extensions = crl_ext > > default_days = 365 # how long to certify for > default_crl_days= 30 # how long before next CRL > default_md = sha1 # which md to use. > preserve = no # keep passed DN ordering > > # A few difference way of specifying how similar the request should look > # For type CA, the listed attributes must be the same, and the optional > # and supplied fields are just that :-) > policy = policy_match > > # For the CA policy > [ policy_match ] > countryName = match > stateOrProvinceName = match > organizationName = match > organizationalUnitName = optional > commonName = supplied > emailAddress = optional > > # For the 'anything' policy > # At this point in time, you must list all acceptable 'object' > # types. > [ policy_anything ] > countryName = optional > stateOrProvinceName = optional > localityName = optional > organizationName = optional > organizationalUnitName = optional > commonName = supplied > emailAddress = optional > > #################################################################### > [ req ] > default_bits = 1024 > default_keyfile = privkey.pem > distinguished_name = req_distinguished_name > attributes = req_attributes > x509_extensions = v3_ca # The extentions to add to the self signed cert > > # Passwords for private keys if not present they will be prompted for > # input_password = secret > # output_password = secret > > # This sets a mask for permitted string types. There are several options. > # default: PrintableString, T61String, BMPString. > # pkix : PrintableString, BMPString. > # utf8only: only UTF8Strings. > # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). > # MASK:XXXX a literal mask value. > # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings > # so use this option with caution! > string_mask = nombstr > > # req_extensions = v3_req # The extensions to add to a certificate request > > [ req_distinguished_name ] > countryName = Country Name (2 letter code) > countryName_default = AU > countryName_min = 2 > countryName_max = 2 > > stateOrProvinceName = State or Province Name (full name) > stateOrProvinceName_default = Some-State > > localityName = Locality Name (eg, city) > > 0.organizationName = Organization Name (eg, company) > 0.organizationName_default = Internet Widgits Pty Ltd > > # we can do this but it is not needed normally :-) > #1.organizationName = Second Organization Name (eg, company) > #1.organizationName_default = World Wide Web Pty Ltd > > organizationalUnitName = Organizational Unit Name (eg, section) > #organizationalUnitName_default = > > commonName = Common Name (eg, YOUR name) > commonName_max = 64 > > emailAddress = Email Address > emailAddress_max = 64 > > # SET-ex3 = SET extension number 3 > > [ req_attributes ] > challengePassword = A challenge password > challengePassword_min = 4 > challengePassword_max = 20 > > unstructuredName = An optional company name > > [ usr_cert ] > > # These extensions are added when 'ca' signs a request. > > # This goes against PKIX guidelines but some CAs do it and some software > # requires this to avoid interpreting an end user certificate as a CA. > > basicConstraints=CA:FALSE > > # Here are some examples of the usage of nsCertType. If it is omitted > # the certificate can be used for anything *except* object signing. > > # This is OK for an SSL server. > # nsCertType = server > > # For an object signing certificate this would be used. > # nsCertType = objsign > > # For normal client use this is typical > # nsCertType = client, email > > # and for everything including object signing: > # nsCertType = client, email, objsign > > # This is typical in keyUsage for a client certificate. > # keyUsage = nonRepudiation, digitalSignature, keyEncipherment > > # This will be displayed in Netscape's comment listbox. > nsComment = "OpenSSL Generated Certificate" > > # PKIX recommendations harmless if included in all certificates. > subjectKeyIdentifier=hash > authorityKeyIdentifier=keyid,issuer > > # This stuff is for subjectAltName and issuerAltname. > # Import the email address. > # subjectAltName=email:copy > # An alternative to produce certificates that aren't > # deprecated according to PKIX. > # subjectAltName=email:move > > # Copy subject details > # issuerAltName=issuer:copy > > #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem > #nsBaseUrl > #nsRevocationUrl > #nsRenewalUrl > #nsCaPolicyUrl > #nsSslServerName > > [ v3_req ] > > # Extensions to add to a certificate request > > basicConstraints = CA:FALSE > keyUsage = nonRepudiation, digitalSignature, keyEncipherment > > [ v3_ca ] > > > # Extensions for a typical CA > > > # PKIX recommendation. > > subjectKeyIdentifier=hash > > authorityKeyIdentifier=keyid:always,issuer:always > > # This is what PKIX recommends but some broken software chokes on critical > # extensions. > #basicConstraints = critical,CA:true > # So we do this instead. > basicConstraints = CA:true > > # Key usage: this is typical for a CA certificate. However since it will > # prevent it being used as an test self-signed certificate it is best > # left out by default. > # keyUsage = cRLSign, keyCertSign > > # Some might want this also > # nsCertType = sslCA, emailCA > > # Include email address in subject alt name: another PKIX recommendation > # subjectAltName=email:copy > # Copy issuer details > # issuerAltName=issuer:copy > > # DER hex encoding of an extension: beware experts only! > # obj=DER:02:03 > # Where 'obj' is a standard or added object > # You can even override a supported extension: > # basicConstraints= critical, DER:30:03:01:01:FF > > [ crl_ext ] > > # CRL extensions. > # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. > > # issuerAltName=issuer:copy > authorityKeyIdentifier=keyid:always,issuer:always > > [ proxy_cert_ext ] > # These extensions should be added when creating a proxy certificate > > # This goes against PKIX guidelines but some CAs do it and some software > # requires this to avoid interpreting an end user certificate as a CA. > > basicConstraints=CA:FALSE > > # Here are some examples of the usage of nsCertType. If it is omitted > # the certificate can be used for anything *except* object signing. > > # This is OK for an SSL server. > # nsCertType = server > > # For an object signing certificate this would be used. > # nsCertType = objsign > > # For normal client use this is typical > # nsCertType = client, email > > # and for everything including object signing: > # nsCertType = client, email, objsign > > # This is typical in keyUsage for a client certificate. > # keyUsage = nonRepudiation, digitalSignature, keyEncipherment > > # This will be displayed in Netscape's comment listbox. > nsComment = "OpenSSL Generated Certificate" > > # PKIX recommendations harmless if included in all certificates. > subjectKeyIdentifier=hash > authorityKeyIdentifier=keyid,issuer:always > > # This stuff is for subjectAltName and issuerAltname. > # Import the email address. > # subjectAltName=email:copy > # An alternative to produce certificates that aren't > # deprecated according to PKIX. > # subjectAltName=email:move > > # Copy subject details > # issuerAltName=issuer:copy > > #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem > #nsBaseUrl > #nsRevocationUrl > #nsRenewalUrl > #nsCaPolicyUrl > #nsSslServerName > > # This really needs to be in place for it to be a proxy certificate. > proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo > > Can anybody help me out what might be the error? > > Thanks > _______________________________________________ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users > _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users