More certificate problems

More certificate problems

am 17.06.2004 18:43:42 von Richard Skeggs

I am having problems signing the certificate

I can successfully generate the RSA private key using the command
openssl genrsa -des3 -out server.key 1024

I can a CSR file using
openssl req -new -key server.key -out server.csr

I can even generate the RSA frivate key for the CA
openssl genrsa -des3 -out ca.key 1024

I have even created the self sign certificate using
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

When I try and run the shell script sign.sh I get as far as
Sign the certificate? [y/n]
to which I answer 'y'

The reply i get back from the script is

'failed to update database'
'TT_DB error number 2'
'unable to load certificate'
'16129:error:0906D06C:PEM routines:PEM_read_bio: no start
line:pem_lib.c:632 Expecting TRUSTED CERTIFICATE'

I obviously find that the server.crt is empty. I would appreciate some
help with this problem

Thanks

Richard Skeggs




The sign.sh shell script I am using is shown below

#!/bin/sh
##
## sign.sh -- Sign a SSL Certificate Request (CSR)
## Copyright (c) 1998-1999 Ralf S. Engelschall, All Rights
Reserved.
##

# argument line handling
CSR=3D$1
if [ $# -ne 1 ]; then
echo "Usage: sign.sign .csr"; exit 1
fi
if [ ! -f $CSR ]; then
echo "CSR not found: $CSR"; exit 1
fi
case $CSR in
*.csr ) CERT=3D"`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
* ) CERT=3D"$CSR.crt" ;;
esac

# make sure environment exists
if [ ! -d ca.db.certs ]; then
mkdir ca.db.certs
fi
if [ ! -f ca.db.serial ]; then
echo '01' >ca.db.serial
fi
if [ ! -f ca.db.index ]; then
cp /dev/null ca.db.index
fi

# create an own SSLeay config
cat >ca.config < [ ca ]
default_ca =3D CA_own
[ CA_own ]
dir =3D /etc/ssl
certs =3D /etc/ssl/certs
new_certs_dir =3D /etc/ssl/ca.db.certs
database =3D /etc/ssl/ca.db.index
serial =3D /etc/ssl/ca.db.serial
RANDFILE =3D /etc/ssl/ca.db.rand
certificate =3D /etc/ssl/certs/ca.crt
private_key =3D /etc/ssl/private/ca.key
default_days =3D 365
default_crl_days =3D 30
default_md =3D md5
preserve =3D no
policy =3D policy_anything
[ policy_anything ]
countryName =3D optional
stateOrProvinceName =3D optional
localityName =3D optional
organizationName =3D optional
organizationalUnitName =3D optional
commonName =3D supplied
emailAddress =3D optional
EOT

# sign the certificate
echo "CA signing: $CSR -> $CERT:"
openssl ca -config ca.config -out $CERT -infiles $CSR
echo "CA verifying: $CERT <-> CA cert"
openssl verify -CAfile /etc/ssl/certs/ca.crt $CERT

# cleanup after SSLeay
rm -f ca.config
rm -f ca.db.serial.old
rm -f ca.db.index.old

# die gracefully
exit 0


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org