<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
</head>
<body class='hmmessage'>
hi all,<br>I have configure to use TLS module,but i have a problem in step : create key.<br><br>i follow these step:<br><br><pre class="programlisting">Creating CA certificate<br>-----------------------<br>1. create CA dir<br> mkdir ca<br> cd ca<br> <br>2. create ca dir structure and files (see ca(1))<br> mkdir demoCA #default CA name, edit /etc/ss/openssl.cnf<br> mkdir demoCA/private<br> mkdir demoCA/newcerts<br> touch demoCA/index.txt<br> echo 01 >demoCA/serial<br> <br>2. create CA private key<br> openssl genrsa -out demoCA/private/cakey.pem 2048<br> chmod 600 demoCA/private/cakey.pem<br> <br>3. create CA self-signed certificate<br> openssl req -out demoCA/cacert.pem -x509 -new -key demoCA/private/cakey.pem<br><br><br>Creating a server/client certificate<br>------------------------------------<br>1. create a certificate request (and its private key in privkey.pem)<br> openssl req -out ser1_cert_req.pem -new -nodes<br> WARNING: the organization name should be the same as in the ca certificate.<br> <br>2. sign it with the ca certificate<br> openssl ca -in ser1_cert_req.pem -out ser1_cert.pem<br> <br>3. copy ser1_cert.pem to your ser config. dir<br><br><br>Setting ser to use the certificate<br>----------------------------------<br>1. create the ca list file:<br> for each of your ca certificates that you intend to use do:<br> cat cacert.pem >>calist.pem<br> <br>2. copy your ser certificate, private key and ca list file to your <br> intended machine (preferably in your ser cfg. directory, this is the <br> default place ser searches for)<br> <br>3. set up ser.cfg to use the certificate<br> if your ser certificate name is different from cert.pem or it is not<br> placed in ser cfg. directory, add to your ser.cfg:<br> modparam("tls", "certificate", "/path/cert_file_name")<br> <br>4. set up ser to use the private key<br> if your private key is not contained in the certificate (or the<br> certificate name is not the default cert.pem), add to your ser.cfg:<br> modparam("tls", "private_key", "/path/private_key_file")<br> <br>5. set up ser to use the ca list (optional)<br> add to your ser.cfg:<br> modparam("tls", "ca_list", "/path/ca_list_file")<br> <br>6. set up tls authentication options:<br> modparam("tls", "verify_certificate", 1)<br> modparam("tls", "require_certificate", 1) <br> (for more information see the module parameters documentation)<br><br>but in step : 2. sign it with the ca certificate(command :openssl ca -in ser1_cert_req.pem -out ser1_cert.pe<br>)<br></pre>i have error and it openssl can not make file "ser1_cert.pem
"<br><br>the error is :<br><br>[root@appliance ca]# openssl ca -in ser1_cert_req.pem -out ser1_cert.pem<br>Using configuration from /etc/pki/tls/openssl.cnf<br>Error opening CA private key ../../CA/private/cakey.pem<br>15231:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('../../CA/private/cakey.pem','r')<br>15231:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:<br>unable to load CA private key<br><br><br>please help me to fix it, or suggest to check and make it work.<br>thanks all.<br><br>Peter green<br> </body>
</html>