Creating SSL Certs

 >
 > * openssl.exe req -config openssl.cnf -new -nodes -out server.csr -keyout
 > server.key


i tried your procedure and got this error:

Using configuration from openssl.cnf
error on line 671740672 of openssl.cnf
517:error:02001002:system library:fopen:No such file or
directory:/usr/src/crypt
o/openssl/crypto/bio/bss_file.c:104:fopen('openssl.cnf','rb')
517:error:2006D002:BIO routines:BIO_new_file:system
lib:/usr/src/crypto/openssl/
crypto/bio/bss_file.c:106:
517:error:0E064002:configuration file routines:CONF_load:system
lib:/usr/src/cry
pto/openssl/crypto/conf/conf_lib.c:91:

i use a FreeBSD 5 OS
with apache 2
and openssl 0.9.7b

Johannes<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Creating SSL Certs 

"Joe Güntner" <j.guentner.DeleteThis@kabsi.at> wrote in message
news:3F50D383.30007@kabsi.at...

 > i tried your procedure and got this error:

Do you have the configuration file openssl.cnf in your in the folder?

If not, that will be your problem. You can find this file in the source
distribution of openssl in the apps folder.

Richard.<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Creating SSL Certs 

The openssl.cnf is in the folder apps!

Are there other ways to create my ssl-certs?

I need them only to test my Apache with SSL!

Johannes
 >> Stay informed about: Creating SSL Certs 

"Joe Güntner" <j.guentner.RemoveThis@kabsi.at> wrote in message
news:3F510A09.7020504@kabsi.at...
 > The openssl.cnf is in the folder apps!
 >
 > Are there other ways to create my ssl-certs?

Ok, so are you running the openssl command from the apps folder? I wouldn't
imagine so as that isn't where it compiles to.

The openssl.cnf file needs to be in the folder where you run the openssl
command from, not in the apps folder (that's just where it comes from in the
source tree).

Richard.<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Creating SSL Certs 

 >
 > The openssl.cnf file needs to be in the folder where you run the openssl
 > command from, not in the apps folder (that's just where it comes from in the
 > source tree).

thanks for this tip.

but i had troubles with the second command

openssl.exe x509 -in server.csr -out server.crt -req -signkey
server.key -days 365 -set_serial 1

i got an error:

unknown option -set_serial

Johannes<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Creating SSL Certs 

"Joe Güntner" <j.guentner RemoveThis @kabsi.at> wrote in message
news:3F52434C.8080509@kabsi.at...

 > i got an error:
 >
 > unknown option -set_serial
 >

Hmm, thats odd. You can leave the "-set_serial 1" off the end if you prefer.
This will create a certificate with a serial number of 0. This will only be
a problem if you create more than one certificate for the same site and
import them both into your browser (it will warn you that the issuer has
produced more than one certificate with the same serial number, which
wouldn't normally happen of course), so probably not a problem for you
really.

The command "openssl x509 ?" should display a list of valid options, see
mine below (note -set_serial near the bottom, perhaps you have an older
version?).

Richard.

 >openssl version
OpenSSL 0.9.7b 10 Apr 2003

 >openssl x509 ?
unknown option ?
usage: x509 args
-inform arg - input format - default PEM (one of DER, NET or PEM)
-outform arg - output format - default PEM (one of DER, NET or PEM)
-keyform arg - private key format - default PEM
-CAform arg - CA format - default PEM
-CAkeyform arg - CA key format - default PEM
-in arg - input file - default stdin
-out arg - output file - default stdout
-passin arg - private key password source
-serial - print serial number value
-hash - print hash value
-subject - print subject DN
-issuer - print issuer DN
-email - print email address(es)
-startdate - notBefore field
-enddate - notAfter field
-purpose - print out certificate purposes
-dates - both Before and After dates
-modulus - print the RSA key modulus
-pubkey - output the public key
-fingerprint - print the certificate fingerprint
-alias - output certificate alias
-noout - no certificate output
-ocspid - print OCSP hash values for the subject name and public
key
-trustout - output a "trusted" certificate
-clrtrust - clear all trusted purposes
-clrreject - clear all rejected purposes
-addtrust arg - trust certificate for a given purpose
-addreject arg - reject certificate for a given purpose
-setalias arg - set certificate alias
-days arg - How long till expiry of a signed certificate - def 30
days
-checkend arg - check whether the cert expires in the next arg seconds
exit 1 if so, 0 if not
-signkey arg - self sign cert with arg
-x509toreq - output a certification request object
-req - input is a certificate request, sign and output.
-CA arg - set the CA certificate, must be PEM format.
-CAkey arg - set the CA key, must be PEM format
missing, it is assumed to be in the CA file.
-CAcreateserial - create serial number file if it does not exist
-CAserial arg - serial file
-set_serial - serial number to use
-text - print the certificate in text form
-C - print out C code forms
-md2/-md5/-sha1/-mdc2 - digest to use
-extfile - configuration file with X509V3 extensions to add
-extensions - section from config file with X509V3 extensions to add
-clrext - delete extensions before signing and input certificate
-nameopt arg - various certificate name options
-engine e - use engine e, possibly a hardware device.
-certopt arg - various certificate text options<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Creating SSL Certs