<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
</head>
<body class='hmmessage'>
hi Daniel,<br>thanks for your suggest.<br><br><br><hr id="stopSpelling">Date: Fri, 3 Sep 2010 12:50:46 +0200<br>From: miconda@gmail.com<br>To: betergreen@live.com<br>CC: sr-users@lists.sip-router.org<br>Subject: Re: [SR-Users] help to fix bug in TLS module.<br><br>
<meta http-equiv="Content-Type" content="text/html; charset=unicode">
<meta name="Generator" content="Microsoft SafeHTML">
<title>Message body</title>
Hello,<br>
<br>
please use adequate subject. Your reported issue has nothing to do
with a bug in tls module. Where you see the relation between proxy's
tls module and what is not working for you?<br>
<br>
Btw, if tls module is installed, you get self signed certificates in
config directory.<br>
<br>
Thanks,<br>
Daniel<br>
<br>
<br>
On 9/3/10 12:29 PM, peter_green lion wrote:
<blockquote cite="mid:SNT121-W37E804C381BCE321C49C8DBC8D0@phx.gbl">
<style>
.ExternalClass .ecxhmmessage P
{padding:0px;}
.ExternalClass body.ecxhmmessage
{font-size:10pt;font-family:Tahoma;}
</style>
hi all,<br>
I have configure to use TLS module,but i have a problem in step :
create key.<br>
<br>
i follow these step:<br>
<br>
<pre class="ecxprogramlisting">Creating CA certificate<br>-----------------------<br>1. create CA dir<br> mkdir ca<br> cd ca<br> <br>2. create ca dir structure and files (see ca(1))<br> mkdir demoCA #default CA name, edit /etc/ss/openssl.cnf<br> mkdir demoCA/private<br> mkdir demoCA/newcerts<br> touch demoCA/index.txt<br> echo 01 >demoCA/serial<br> <br>2. create CA private key<br> openssl genrsa -out demoCA/private/cakey.pem 2048<br> chmod 600 demoCA/private/cakey.pem<br> <br>3. create CA self-signed certificate<br> openssl req -out demoCA/cacert.pem -x509 -new -key demoCA/private/cakey.pem<br><br><br>Creating a server/client certificate<br>------------------------------------<br>1. create a certificate request (and its private key in privkey.pem)<br> openssl req -out ser1_cert_req.pem -new -nodes<br> WARNING: the organization name should be the same as in the ca certificate.<br> <br>2. sign it with the ca certificate<br> openssl ca -in ser1_cert_req.pem -out ser1_cert.pem<br> <br>3. copy ser1_cert.pem to your ser config. dir<br><br><br>Setting ser to use the certificate<br>----------------------------------<br>1. create the ca list file:<br> for each of your ca certificates that you intend to use do:<br> cat cacert.pem >>calist.pem<br> <br>2. copy your ser certificate, private key and ca list file to your <br> intended machine (preferably in your ser cfg. directory, this is the <br> default place ser searches for)<br> <br>3. set up ser.cfg to use the certificate<br> if your ser certificate name is different from cert.pem or it is not<br> placed in ser cfg. directory, add to your ser.cfg:<br> modparam("tls", "certificate", "/path/cert_file_name")<br> <br>4. set up ser to use the private key<br> if your private key is not contained in the certificate (or the<br> certificate name is not the default cert.pem), add to your ser.cfg:<br> modparam("tls", "private_key", "/path/private_key_file")<br> <br>5. set up ser to use the ca list (optional)<br> add to your ser.cfg:<br> modparam("tls", "ca_list", "/path/ca_list_file")<br> <br>6. set up tls authentication options:<br> modparam("tls", "verify_certificate", 1)<br> modparam("tls", "require_certificate", 1) <br> (for more information see the module parameters documentation)<br><br>but in step : 2. sign it with the ca certificate(command :openssl ca -in ser1_cert_req.pem -out ser1_cert.pe<br>)<br></pre>
i have error and it openssl can not make file "ser1_cert.pem
"<br>
<br>
the error is :<br>
<br>
[root@appliance ca]# openssl ca -in ser1_cert_req.pem -out
ser1_cert.pem<br>
Using configuration from /etc/pki/tls/openssl.cnf<br>
Error opening CA private key ../../CA/private/cakey.pem<br>
15231:error:02001002:system library:fopen:No such file or
directory:bss_file.c:352:fopen('../../CA/private/cakey.pem','r')<br>
15231:error:20074002:BIO routines:FILE_CTRL:system
lib:bss_file.c:354:<br>
unable to load CA private key<br>
<br>
<br>
please help me to fix it, or suggest to check and make it work.<br>
thanks all.<br>
<br>
Peter green<br>
<pre><fieldset class="ecxmimeAttachmentHeader"></fieldset><br>_______________________________________________<br>SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list<br><a class="ecxmoz-txt-link-abbreviated" href="mailto:sr-users@lists.sip-router.org">sr-users@lists.sip-router.org</a><br><a class="ecxmoz-txt-link-freetext" href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users" target="_blank">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users</a><br></pre>
</blockquote>
<br>
<pre class="ecxmoz-signature">-- <br>Daniel-Constantin Mierla<br><a class="ecxmoz-txt-link-freetext" href="http://www.asipto.com" target="_blank">http://www.asipto.com</a></pre> </body>
</html>