sign.sh woes

Hello all,

I *know* this has been done to death before but I just can't find any
solutions anywhere on the net or in the archives: just lots of descriptions
of the problem!

After running sign.sh I have the typical error:
-----------------------------------------------------------
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: /C=UK/ST=Midlothian/L=Edinburgh/O=Panasonic
OWL/OU=R&D/CN=oscar-demo.owl.co.uk/Email=admin@oscar-demo.ow l.co.uk
error 18 at 0 depth lookup:self signed certificate
/C=UK/ST=Midlothian/L=Edinburgh/O=Panasonic
OWL/OU=R&D/CN=oscar-demo.owl.co.uk/Email=admin@oscar-demo.ow l.co.uk
error 7 at 0 depth lookup:certificate signature failure
------------------------------------------------------------ --

My directory has the server.csr, the ca.key and ca.crt.

People have advised the use of the ssl.ca scripts in the contrib area but
this is basically the same sign script!

Version: openssl-0.9.6

Does anybody have any suggestions on this? Also, the best way to clean up
after it fails: just delete the generated certs db?

Cheers,
colm

............................................................ .....
colm mccartan
panasonic owl uk
colmm@owl.co.uk
(44) 131 561 1035

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: sign.sh woes

>Hello all,
>
>I *know* this has been done to death before but I just can't find
>any solutions anywhere on the net or in the archives: just lots of
>descriptions of the problem!
>
>After running sign.sh I have the typical error:
>-----------------------------------------------------------
>Sign the certificate? [y/n]:y
>
>1 out of 1 certificate requests certified, commit? [y/n]y
>Write out database with 1 new entries
>Data Base Updated
>CA verifying: server.crt <-> CA cert
>server.crt: /C=UK/ST=Midlothian/L=Edinburgh/O=Panasonic
>OWL/OU=R&D/CN=oscar-demo.owl.co.uk/Email=admin@oscar-demo.o wl.co.uk
>error 18 at 0 depth lookup:self signed certificate
>/C=UK/ST=Midlothian/L=Edinburgh/O=Panasonic
>OWL/OU=R&D/CN=oscar-demo.owl.co.uk/Email=admin@oscar-demo.o wl.co.uk
>error 7 at 0 depth lookup:certificate signature failure
>----------------------------------------------------------- ---
>
>My directory has the server.csr, the ca.key and ca.crt.
>
>People have advised the use of the ssl.ca scripts in the contrib
>area but this is basically the same sign script!
>
>Version: openssl-0.9.6
>
>Does anybody have any suggestions on this? Also, the best way to
>clean up after it fails: just delete the generated certs db?
>
>Cheers,
>colm
>

I had same problem some months ago too. Looks like bug (feature? :)
in openssl. If CA and certificate have same CN, signing falls with
this error. I don't saw this limitation in ssl rfcs, but now just
use different CNs.

best

Ilya
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org