[wease1@desktop: ~] $ uname -r
2.6.12-1.1398_FC4smp [wease1@desktop: ~] $ openssl version OpenSSL 0.9.7f 22 Mar 2005 I just (by trail and error and finally by documentation) created a pkcs12 certificate for use with SMIME in my email client Evolution. I now get the following prompt every time I use sudo: [wease1@desktop: ~] $ sudo mkdir help Password: 4025:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:642:Expecting: CERTIFICATE Enter PEM pass phrase: phrase is too short, needs to be at least 4 chars Enter PEM pass phrase: [wease1@desktop: ~] $ The above happens whether or not sudo asks me for a password. I also cannot retrieve my mail using any of pop3, pops3, imap, imaps with dovecot now (other users have no problem and I can read my mail locally with mutt). Note this is my home desktop (and master server and testing grounds of everything on my little home network) but I've also tried downloading my mail from another computer on the same net without luck. Below is a condensed version of my bash history: * as user wease1 *********************************************** - initial attempt --------------------------------------------- openssl pkcs12 -export -inkey key.pem -certfile cert.pem -out smime.pkcs12 openssl pkcs12 -export -inkey key.pem -certfile cert.pem openssl pkcs12 -export -inkey key.pem -certfile cert.pem cat cert.pem key.pem > temp.pem openssl pkcs12 -export -in temp.pem -out smime.p12 less smime.p12 rm smime.p12 openssl pkcs12 -export -in temp.pem --------------------------------------------------------------- - new certificate request and signed cert --------------------- cd .ssl/ openssl x509 -in cert.pem -text openssl x509 -in key.pem -text openssl rsa -in key.pem -text rm -fr cert.pem key.pem openssl req -new -keyout key.pem -out certreq.pem su rm * rm -fr * openssl req -new -keyout key.pem -out certreq.pem sudo cp certreq.pem /etc/pki/CA/ sudo chown wease1:wease1 cert.pem su chmod 600 key.pem --------------------------------------------------------------- - attempts to get Evolution to recognize certificate ---------- cp cert.pem .. cat cert.pem key.pem > smime.pem less smime.pem rm smime.pem cat key.pem cert.pem > smime.crt rm cert.pem cd .ssl rm smime.crt --------------------------------------------------------------- - finally taking a good look at the documentation ------------- man pkcs12 --------------------------------------------------------------- - just in case it's useful that I use kerberos ---------------- klist kinit --------------------------------------------------------------- - the end ------------------------------------------------------ cd .ssl openssl pkcs12 -export -in cert.pem -inkey key.pem -out smime.pkcs12 openssl pkcs12 -export -in cert.pem -inkey key.pem -rand /dev/random -out smime.pkcs12 openssl pkcs12 -export -in cert.pem -inkey key.pem -out smime.pkcs12 openssl pkcs12 -export -in cert.pem -inkey key.pem -rand /dev/random -out smime.pkcs12 openssl pkcs12 -export -in cert.pem -inkey key.pem -out smime.pkcs12 --------------------------------------------------------------- ******************************************************************** * as super user **************************************************** openssl pkcs12 -export -in cert.pem -inkey key.pem -out smime.pkcs12 ******************************************************************** In the beginning, I revoked my initial certificate and made a new one, thinking maybe there was something wrong because Evolution failed to import the certificate - the problem being that I didn't understand the pkcs12 format. The super user command was the one that finally seemed to work. The last few wease1 commands didn't work quite right - with the -rand option, the program would just hang and without it I would get the following: "unable to write 'random state'". As super user I didn't get this warning, and the smime.pkcs12 file was actually created with wease1 ownership. Thanks for any help and please let me know if I can provide any more information. Todd ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
Free forum by Nabble | Edit this page |