Some troubles making my own CA

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Some troubles making my own CA

Alvaro Poole
Hi, I´m new to OpenSSL 0.9.8. I was using 0.9.7with mod_ssl version
about 2 weeks since yesterday. (everything in Win32,and works I
promise :) )

1.- In 0.9.7 version, i could do my own certificate with:

perl ca.pl -newca (and then, i filled all i need)

But in 0.9.8 it has been some changes that i don´t understand:

- Why, when I write this sentence, does openssl ask me two passwords?
(CA password and CHALLENGE password, i don´t know when it uses)

2.- After this, I always made (in 0.9.7) a server certificate for this
CA with this:

openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem

- Why now doesn´t openssl ask me a challenge password for this certificate?

3.- At the end, i signed this certificate with the CA:

perl CA.pl -sign

and now, appears a (doesn´t found private key error)

I supose there is some trouble with mod_ssl 2.8.23 (but in
documentation says that is compatible with openssl 0.98).

My final questions are:

How can I do my own CA and signed with this in this new version and
using mod_ssl 2.8.23+1.3.33? (maybe I´ m doing something wrong, so
please tell me)

Should I use openssl 0.97 for OpenLDAP? I read that OpenLDAP is
incompatible with 0.98. Is that true?

Thanks in advance (and sorry for my english ;) )

Alvaro Poole

PD: I would like with Apache Server to (it´s complicated but I have to)
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Some troubles making my own CA

David Templar
I think I can help you with PC certs - I am having trouble with phone
certs though :(

openssl genrsa -out ca.key 1024 (or whatever size key you want) you can
also chose dsa or dsa1 etc

and

openssl req -new -x509 -key ca.key -out cacert.pem -config [the name of
the config file] - you can also chose the -md format

Then convert the pem to der format using:  openssl ca -in cacert.pem
-out ca.cer

Your ca is ca.cer or if you wanted it in the ---cert type you can omit
the last bit.

Hope it helps.

Alvaro Poole wrote:

>Hi, I´m new to OpenSSL 0.9.8. I was using 0.9.7with mod_ssl version
>about 2 weeks since yesterday. (everything in Win32,and works I
>promise :) )
>
>1.- In 0.9.7 version, i could do my own certificate with:
>
>perl ca.pl -newca (and then, i filled all i need)
>
>But in 0.9.8 it has been some changes that i don´t understand:
>
>- Why, when I write this sentence, does openssl ask me two passwords?
>(CA password and CHALLENGE password, i don´t know when it uses)
>
>2.- After this, I always made (in 0.9.7) a server certificate for this
>CA with this:
>
>openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
>
>- Why now doesn´t openssl ask me a challenge password for this certificate?
>
>3.- At the end, i signed this certificate with the CA:
>
>perl CA.pl -sign
>
>and now, appears a (doesn´t found private key error)
>
>I supose there is some trouble with mod_ssl 2.8.23 (but in
>documentation says that is compatible with openssl 0.98).
>
>My final questions are:
>
>How can I do my own CA and signed with this in this new version and
>using mod_ssl 2.8.23+1.3.33? (maybe I´ m doing something wrong, so
>please tell me)
>
>Should I use openssl 0.97 for OpenLDAP? I read that OpenLDAP is
>incompatible with 0.98. Is that true?
>
>Thanks in advance (and sorry for my english ;) )
>
>Alvaro Poole
>
>PD: I would like with Apache Server to (it´s complicated but I have to)
>______________________________________________________________________
>OpenSSL Project                                 http://www.openssl.org
>User Support Mailing List                    [hidden email]
>Automated List Manager                           [hidden email]
>
>  
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Some troubles making my own CA

David Templar
Sorry, the last command shoud have a -outform DER added to it, if you
want your ca in der format.

Anyway, to create a ca is fairly similar to previous versions, the only
thing I have noticed (I am using windows) is that the perl stuff does
not work (but I did not put mcuh time into trying to make them work).
The commands are fairly similar, just create a .bat file with those
commands and things should work.

David Templar wrote:

> I think I can help you with PC certs - I am having trouble with phone
> certs though :(
>
> openssl genrsa -out ca.key 1024 (or whatever size key you want) you
> can also chose dsa or dsa1 etc
>
> and
>
> openssl req -new -x509 -key ca.key -out cacert.pem -config [the name
> of the config file] - you can also chose the -md format
>
> Then convert the pem to der format using:  openssl ca -in cacert.pem
> -out ca.cer
>
> Your ca is ca.cer or if you wanted it in the ---cert type you can omit
> the last bit.
>
> Hope it helps.
>
> Alvaro Poole wrote:
>
>> Hi, I´m new to OpenSSL 0.9.8. I was using 0.9.7with mod_ssl version
>> about 2 weeks since yesterday. (everything in Win32,and works I
>> promise :) )
>>
>> 1.- In 0.9.7 version, i could do my own certificate with:
>>
>> perl ca.pl -newca (and then, i filled all i need)
>>
>> But in 0.9.8 it has been some changes that i don´t understand:
>>
>> - Why, when I write this sentence, does openssl ask me two passwords?
>> (CA password and CHALLENGE password, i don´t know when it uses)
>>
>> 2.- After this, I always made (in 0.9.7) a server certificate for this
>> CA with this:
>>
>> openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
>>
>> - Why now doesn´t openssl ask me a challenge password for this
>> certificate?
>>
>> 3.- At the end, i signed this certificate with the CA:
>>
>> perl CA.pl -sign
>>
>> and now, appears a (doesn´t found private key error)
>>
>> I supose there is some trouble with mod_ssl 2.8.23 (but in
>> documentation says that is compatible with openssl 0.98).
>>
>> My final questions are:
>>
>> How can I do my own CA and signed with this in this new version and
>> using mod_ssl 2.8.23+1.3.33? (maybe I´ m doing something wrong, so
>> please tell me)
>>
>> Should I use openssl 0.97 for OpenLDAP? I read that OpenLDAP is
>> incompatible with 0.98. Is that true?
>>
>> Thanks in advance (and sorry for my english ;) )
>>
>> Alvaro Poole
>>
>> PD: I would like with Apache Server to (it´s complicated but I have to)
>> ______________________________________________________________________
>> OpenSSL Project                                 http://www.openssl.org
>> User Support Mailing List                    [hidden email]
>> Automated List Manager                           [hidden email]
>>
>>  
>>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]