CA.pl/CA.sh fail - can't create root CA

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

CA.pl/CA.sh fail - can't create root CA

csa321
I'm getting a segv when trying to run CA.pl/.sh to create a rootCA:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
unknown option -create_serial
usage: ca args

 -verbose        - Talk alot while doing things
 -config file    - A config file
 -name arg       - The particular CA definition to use
 -gencrl         - Generate a new CRL
 -crldays days   - Days is when the next CRL is due
 -crlhours hours - Hours is when the next CRL is due
 -startdate YYMMDDHHMMSSZ  - certificate validity notBefore
 -enddate YYMMDDHHMMSSZ    - certificate validity notAfter (overrides -days)
 -days arg       - number of days to certify the certificate for
 -md arg         - md to use, one of md2, md5, sha or sha1
 -policy arg     - The CA 'policy' to support
 -keyfile arg    - private key file
 -keyform arg    - private key file format (PEM or ENGINE)
 -key arg        - key to decode the private key if it is encrypted
 -cert file      - The CA certificate
 -in file        - The input PEM encoded certificate request(s)
 -out file       - Where to put the output file(s)
 -outdir dir     - Where to put output certificates
 -infiles ....   - The last argument, requests to process
 -spkac file     - File contains DN and signed public key and challenge
 -ss_cert file   - File contains a self signed cert to sign
 -preserveDN     - Don't re-order the DN
 -noemailDN      - Don't add the EMAIL field into certificate' subject
 -batch          - Don't ask questions
 -msie_hack      - msie modifications to handle all those universal strings
 -revoke file    - Revoke a certificate (given in file)
 -subj arg       - Use arg instead of request's subject
 -extensions ..  - Extension section (override value in config file)
 -extfile file   - Configuration file with X509v3 extentions to add
 -crlexts ..     - CRL extension section (override value in config file)
 -engine e       - use engine e, possibly a hardware device.
 -status serial  - Shows certificate status given the serial number
 -updatedb       - Updates db for expired certificates
./CA.sh: line 197: 10495 Segmentation fault      $CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch -keyfile ${CATOP}/private/$CAKEY -selfsign -extensions v3_ca -infiles ${CATOP}/$CAREQ

I tried removing the -create_serial option and then it complains about the -selfsign option.  Removed that too - but it just errors out, never creating my root ca cert.

Any one encountered this before?  Happens with openssl 0.9.8m/1.0.0 on suse linux 9.

Thanks in advance!
Reply | Threaded
Open this post in threaded view
|

RE: CA.pl/CA.sh fail - can't create root CA

Eisenacher, Patrick
Hello asc123,

> -----Original Message-----
> From: owner-openssl-users On Behalf Of asc123
>
> I'm getting a segv when trying to run CA.pl/.sh to create a rootCA:
>
> Please enter the following 'extra' attributes
> to be sent with your certificate request
> A challenge password []:
> An optional company name []:
> unknown option -create_serial
> usage: ca args
>
>  -verbose        - Talk alot while doing things
>  -config file    - A config file
>  -name arg       - The particular CA definition to use
>  -gencrl         - Generate a new CRL
>  -crldays days   - Days is when the next CRL is due
>  -crlhours hours - Hours is when the next CRL is due
>  -startdate YYMMDDHHMMSSZ  - certificate validity notBefore
>  -enddate YYMMDDHHMMSSZ    - certificate validity notAfter
> (overrides -days)
>  -days arg       - number of days to certify the certificate for
>  -md arg         - md to use, one of md2, md5, sha or sha1
>  -policy arg     - The CA 'policy' to support
>  -keyfile arg    - private key file
>  -keyform arg    - private key file format (PEM or ENGINE)
>  -key arg        - key to decode the private key if it is encrypted
>  -cert file      - The CA certificate
>  -in file        - The input PEM encoded certificate request(s)
>  -out file       - Where to put the output file(s)
>  -outdir dir     - Where to put output certificates
>  -infiles ....   - The last argument, requests to process
>  -spkac file     - File contains DN and signed public key and
> challenge
>  -ss_cert file   - File contains a self signed cert to sign
>  -preserveDN     - Don't re-order the DN
>  -noemailDN      - Don't add the EMAIL field into
> certificate' subject
>  -batch          - Don't ask questions
>  -msie_hack      - msie modifications to handle all those
> universal strings
>  -revoke file    - Revoke a certificate (given in file)
>  -subj arg       - Use arg instead of request's subject
>  -extensions ..  - Extension section (override value in config file)
>  -extfile file   - Configuration file with X509v3 extentions to add
>  -crlexts ..     - CRL extension section (override value in
> config file)
>  -engine e       - use engine e, possibly a hardware device.
>  -status serial  - Shows certificate status given the serial number
>  -updatedb       - Updates db for expired certificates
> ./CA.sh: line 197: 10495 Segmentation fault      $CA
> -create_serial -out
> ${CATOP}/$CACERT $CADAYS -batch -keyfile
> ${CATOP}/private/$CAKEY -selfsign
> -extensions v3_ca -infiles ${CATOP}/$CAREQ
>
> I tried removing the -create_serial option and then it
> complains about the
> -selfsign option.  Removed that too - but it just errors out,
> never creating
> my root ca cert.
>
> Any one encountered this before?  Happens with openssl
> 0.9.8m/1.0.0 on suse
> linux 9.

if you check the error message, you see that there is neither a -create_serial option nor a -selfsign option, so I guess it's no surprise that openssl complains. The absence of -selfsign is a bit weird, as this option is definitely available in v0.9.8 and v1.0.0, but you've got more bugs in your invocation. Also, try replacing your variables by their values and check the content of your input files. Do you have a proper configuration file with all the necessary content? Try referencing your configuration file via the -config option. Add the -verbose option to get more output. As a starter you should read about the usage of the various openssl command line tools (http://www.openssl.org/docs/apps/openssl.html) or via man {tool-name} on your system. The latter approach makes sure you get the documentation for your installed version of openssl. The documentation also contains extensive examples. Try starting with an example and then modify it according to your needs.


HTH,
Patrick Eisenacehr
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: CA.pl/CA.sh fail - can't create root CA

Dr. Stephen Henson
In reply to this post by csa321
On Tue, May 11, 2010, asc123 wrote:

>
> I'm getting a segv when trying to run CA.pl/.sh to create a rootCA:
>
> Please enter the following 'extra' attributes
> to be sent with your certificate request
> A challenge password []:
> An optional company name []:
> unknown option -create_serial
> usage: ca args
>
>  -verbose        - Talk alot while doing things
>  -config file    - A config file
>  -name arg       - The particular CA definition to use
>  -gencrl         - Generate a new CRL
>  -crldays days   - Days is when the next CRL is due
>  -crlhours hours - Hours is when the next CRL is due
>  -startdate YYMMDDHHMMSSZ  - certificate validity notBefore
>  -enddate YYMMDDHHMMSSZ    - certificate validity notAfter (overrides -days)
>  -days arg       - number of days to certify the certificate for
>  -md arg         - md to use, one of md2, md5, sha or sha1
>  -policy arg     - The CA 'policy' to support
>  -keyfile arg    - private key file
>  -keyform arg    - private key file format (PEM or ENGINE)
>  -key arg        - key to decode the private key if it is encrypted
>  -cert file      - The CA certificate
>  -in file        - The input PEM encoded certificate request(s)
>  -out file       - Where to put the output file(s)
>  -outdir dir     - Where to put output certificates
>  -infiles ....   - The last argument, requests to process
>  -spkac file     - File contains DN and signed public key and challenge
>  -ss_cert file   - File contains a self signed cert to sign
>  -preserveDN     - Don't re-order the DN
>  -noemailDN      - Don't add the EMAIL field into certificate' subject
>  -batch          - Don't ask questions
>  -msie_hack      - msie modifications to handle all those universal strings
>  -revoke file    - Revoke a certificate (given in file)
>  -subj arg       - Use arg instead of request's subject
>  -extensions ..  - Extension section (override value in config file)
>  -extfile file   - Configuration file with X509v3 extentions to add
>  -crlexts ..     - CRL extension section (override value in config file)
>  -engine e       - use engine e, possibly a hardware device.
>  -status serial  - Shows certificate status given the serial number
>  -updatedb       - Updates db for expired certificates
> ./CA.sh: line 197: 10495 Segmentation fault      $CA -create_serial -out
> ${CATOP}/$CACERT $CADAYS -batch -keyfile ${CATOP}/private/$CAKEY -selfsign
> -extensions v3_ca -infiles ${CATOP}/$CAREQ
>
> I tried removing the -create_serial option and then it complains about the
> -selfsign option.  Removed that too - but it just errors out, never creating
> my root ca cert.
>
> Any one encountered this before?  Happens with openssl 0.9.8m/1.0.0 on suse
> linux 9.
>
> Thanks in advance!
>

The CA.pl script from OpenSSL 1.0.0 is using the openssl utility from 0.9.8
and failing due to unimplemented options. I'd suggest you either use he 0.9.8
CA.pl or ammend your path so the 1.0.0 openssl utility is used.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: CA.pl/CA.sh fail - can't create root CA

Dave Thompson-5
In reply to this post by Eisenacher, Patrick
> From: [hidden email] On Behalf Of Eisenacher, Patrick
> Sent: Wednesday, 12 May, 2010 07:04
<snip>
> > From: owner-openssl-users On Behalf Of asc123
> >
> > I'm getting a segv when trying to run CA.pl/.sh to create a rootCA:
<snip>
> > unknown option -create_serial
<snip ca usage message>

> > ./CA.sh: line 197: 10495 Segmentation fault      $CA
> > -create_serial -out
> > ${CATOP}/$CACERT $CADAYS -batch -keyfile
> > ${CATOP}/private/$CAKEY -selfsign
> > -extensions v3_ca -infiles ${CATOP}/$CAREQ
> >
> > I tried removing the -create_serial option and then it
> > complains about the
> > -selfsign option.  Removed that too - but it just errors out,
> > never creating
> > my root ca cert.
> >
> > Any one encountered this before?  Happens with openssl
> > 0.9.8m/1.0.0 on suse
> > linux 9.
>
> if you check the error message, you see that there is neither
> a -create_serial option nor a -selfsign option, so I guess
> it's no surprise that openssl complains. The absence of
> -selfsign is a bit weird, as this option is definitely
> available in v0.9.8 and v1.0.0, but you've got more bugs in

ca actually has -create_serial and -selfsign since 0.9.8
[11 Oct 2005] according to the changefile, they're just not
in the usage/help display.

> your invocation. Also, try replacing your variables by their
> values and check the content of your input files. Do you have
> a proper configuration file with all the necessary content?

OP says s/he is using CA.sh or .pl, presumably the ones
distributed in apps, which should be a valid invocation --
and it looks reasonable to me by eye, and works when tried.
The last error quoted, apparently from bash*, cites CA.sh,
but line 197 -- long after the ca invocation in 0.9.8m,n
and 1.0.0beta4+, and far outside the file earlier. Unless
the OP or a packager upstream did some significant editing
-- which is possible, it is just a shell script after all.
Also the linebreaks are odd and unexpected; I'm hoping
that was just a copy&paste or posting artifact.
* on the Linuxes I have, #!/bin/sh actually gets bash

If the OP is getting an old (0.9.7?) commandline, due to
the new version (package?) not being installed correctly
and/or early enough in the $PATH, that would explain the
rejected option(s) but not the segv. After a usage error,
it exits without reading configfile; and even if it did
and the file is bad, it should print a message, not segv.

To OP: in your shell 'which openssl' will check which executable
you are getting, and 'openssl version -a' will tell some things
about it including its default location for the configfile.
Are these new versions packages you are installing, and how?
Or did you build from source, and if so with what options
and in particular where did or should it install?



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]