request some assistance with ssl certificates *fixed!

Message

taskara · Post by **taskara** » Tue Jun 17, 2003 10:16 pm

Hi,

I've stopped bashing my head on the desk to post this messge

I'm following the Home Email Guide as found here, section 3.5, "Postfix TLS Support".

I am trying to create an ssl certificate, and am running into some problems.

I have openssl emerged, and have editted my CA.pl file to say -nodes, as per the instructions. Here is a copy of the relevant section from the file:

Code: Select all

# create a certificate 
system ("$REQ -new -nodes -x509 -keyout newreq.pem -out newreq.pem $DAYS"); 
$RET=$?; 
print "Certificate (and private key) is in newreq.pem\n" 
} elsif (/^-newreq$/) { 
# create a certificate request 
system ("$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS"); 
$RET=$?; 
print "Request (and private key) is in newreq.pem\n";

when I run

Code: Select all

./CA.pl -newca

from the /etc/ssl/misc directory it asks me for a password:

CA certificate filename (or enter to create)

I just press enter.

then it continues asking

Making CA certificate ...
Using configuration from /etc/ssl/openssl.cnf
Generating a 1024 bit RSA private key
...........................++++++
.................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:

if I just press "enter" it says

Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
phrase is too short, needs to be at least 4 chars
Enter PEM pass phrase:

what do I put in for the PEM pass phrase ?

I tried putting in my password (just to see what would happen) and it continued through this section, and went on to asking me my location and details etc. looked like it all worked.

however the next section of the document says to

cp newcert.pem /etc/postfix

but the file does not exist... newreq.pem exists, but not newcert.pem

so I am at a loss to see what the problem is... if anyone can shed some light, I would be most grateful!! thanks very much

pleeeeeease anyone??

taskara · Post by **taskara** » Wed Jun 18, 2003 11:01 am

pleeeeeease ...

taskara · Post by **taskara** » Thu Jun 19, 2003 5:22 am

pretty pleeeease?

Chris W · Post by **Chris W** » Thu Jun 19, 2003 7:39 am

I would guess that you missed the

Code: Select all

# ./CA.pl -sign

step that creates the newcert.pem file.

As for the passphrase, have you tried entering something?

taskara · Post by **taskara** » Thu Jun 19, 2003 7:58 am

hi chris, thanks!

in the instructions /.CA.pl -sign comes as the last step..

I did try putting in my password when it asked for one, and it continued without error, but then I couldn't find the file...

so I'm kinda at a loss as to what to do.. I'll try again, and if you like I can post everything it does step by step ?

taskara · Post by **taskara** » Thu Jun 19, 2003 8:00 am

btw dude, you are in Canberra!

I'm in Canberra too

taskara · Post by **taskara** » Thu Jun 19, 2003 9:06 am

**EDIT - this is NOT fixed

well problem appears to be fixed.. I don't know what was stopping it from working b4, but I tried doing exactly what I have done the last 10 times again. This time when I did an emerge -U world, it installed one new app that wasn't there b4, something about ip.. anyway here's what I did (as I have done the last 10 times!!)

Code: Select all

emerge -C openssl
rm -fR /etc/ssl/
emerge rsync
emerge -U world
emerge openssl
nano -w /etc/ssl/misc/CA.pl (add "-nodes" and save)
cd /etc/ssl/misc

then I ran the command to create the new certificate

Code: Select all

./CA.pl -newcert
Using configuration from /etc/ssl/openssl.cnf
Generating a 1024 bit RSA private key
...++++++
....................++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:ACT
Locality Name (eg, city) []:Canberra
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SmartClan
Organizational Unit Name (eg, section) []:Family
Common Name (eg, YOUR name) []:Chris
Email Address []:root@localhost
Certificate (and private key) is in newreq.pem

and as you can see it worked

Code: Select all

root@server misc # ls newreq.pem
newreq.pem

so I don't know why it worked today.. but it did..

no wonder it was so frustrating, and no wonder no one helped me :S

ONE THING THO I kept asking people whether "when I ran ./CA.pl -newcert" I should get a question asking for a password?

no-one ever replied

so I'm here to tell anyone else out there, that NO it should not as for a password or PEM Passphrase, it shoudl work exactly as you see above.

hope this can help some other poor fool

thanks to everyone for their input, I really appreciate it!

YAY onto the next step!

taskara · Post by **taskara** » Thu Jun 19, 2003 9:19 am

ARGH

no it's not fixed.. I must be stupid. When I run ./CA.pl it creates newreq.pem NOT newcert.pem

anyway here is the entire process incase someone cares to go through it and see what I'm doing wrong..

Code: Select all

root@server misc # ./CA.pl -newcert
Using configuration from /etc/ssl/openssl.cnf
Generating a 1024 bit RSA private key
...++++++
....................++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:ACT
Locality Name (eg, city) []:Canberra
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SmartClan
Organizational Unit Name (eg, section) []:Family
Common Name (eg, YOUR name) []:Chris
Email Address []:root@localhost
Certificate (and private key) is in newreq.pem

Code: Select all

root@server misc # ls
CA.pl  CA.sh  c_hash  c_info  c_issuer  c_name  der_chop  newreq.pem

Code: Select all

root@server misc # ls newreq.pem
newreq.pem

Code: Select all

root@server misc # ls newcert.pem
ls: newcert.pem: No such file or directory

Code: Select all

root@server misc # ./CA.pl -newreq
Using configuration from /etc/ssl/openssl.cnf
Generating a 1024 bit RSA private key
....++++++
............................................................++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:ACT
Locality Name (eg, city) []:Canberra
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SmartClan
Organizational Unit Name (eg, section) []:Family
Common Name (eg, YOUR name) []:Chris
Email Address []:root@localhost

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request (and private key) is in newreq.pem

Code: Select all

root@server misc # ./CA.pl -sign
Using configuration from /etc/ssl/openssl.cnf
./demoCA/private/cakey.pem: No such file or directory
trying to load CA private key
21227:error:02001002:system library:fopen:No such file or directory:bss_file.c:245:fopen('./demoCA/private/cakey.pem','r')
21227:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:247:
Signed certificate is in newcert.pem

Code: Select all

root@server misc # ls
CA.pl  CA.sh  c_hash  c_info  c_issuer  c_name  der_chop  newreq.pem

it looks to me like ./CA.pl -newcert is doing the SAME THING as ./CA.pl -newcert

so is there something I have to change in the /etc/ssl/misc/CA.pl file ?

here it is

# create a certificate
system ("$REQ -new -nodes -x509 -keyout newreq.pem -out newreq.pem $DAYS");
$RET=$?;
print "Certificate (and private key) is in newreq.pem\n"
} elsif (/^-newreq$/) {
# create a certificate request
system ("$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS");
$RET=$?;
print "Request (and private key) is in newreq.pem\n";

I notice the printout is newreq.pem for BOTH commands.. sigh..

any thoughts?

thanks

Chris W · Post by **Chris W** » Thu Jun 19, 2003 11:49 pm

The instructions don't require you to run ./CA.pl -newcert?! From the instructions:

Code: Select all

root@server # cd /etc/ssl/misc
(1) root@server # ./CA.pl -newca
(2) root@server # ./CA.pl -newreq
(3) root@server # ./CA.pl -sign
root@server # cp newcert.pem /etc/postfix
root@server # cp newreq.pem /etc/postfix
root@server # cp demoCA/cacert.pem /etc/postfix

Step (1) should create the cakey.pem it is complaining about. I think you're misreading this command as ./CA.pl -newcert (as I did last night).
Step (2) creates a request for the CA to certify (newreq.pem)
Step (3) self-signs the request to create a certificate (newcert.pem).

it looks to me like ./CA.pl -newcert is doing the SAME THING as ./CA.pl -newcert

I would hope so

There's no need to emerge any of the software, just rerun the steps.

taskara · Post by **taskara** » Fri Jun 20, 2003 12:00 am

HAHAHAHA... I hope that is all it was.. and I sort of hope it wasn't

well I've run it again, and here's the output:

Code: Select all

root@server misc # ./CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Using configuration from /etc/ssl/openssl.cnf
Generating a 1024 bit RSA private key
................++++++
............++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:ACT
Locality Name (eg, city) []:Canberra
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SmartClan
Organizational Unit Name (eg, section) []:Family
Common Name (eg, YOUR name) []:Chris
Email Address []:root@localhost
root@server misc #

then I run ./CA.pl -newreq and ./CA.pl -sign and hey what do you know.. it all works.

I originally got stuck when I ran ./CA.pl - newca it was asking for a password and pem phrase (as you can see above) and everyone said it should not ask anything. so I got confused and no-one would tell me what to put in there.

then as it got later in the night, and days pased -newca became -newcert lol

I'll buy you a beer or two sometime

thanks soo so sosososoooo much

taskara · Post by **taskara** » Fri Jun 20, 2003 12:09 am

as you can see up the top, I was running ./CA.pl -newca

even so, they should screen out idiots like me from using gentoo :S

anyway, this time when I en-emerged openssl I rebooted.. the other times I didn't..

which was good cause it stopped ssh from working. b4 ssh was running and using the ssl libraries.. maybe that affected something.. I dunno..

anyway thanks heaps for your help