I need to:
- create a CA certificate
- create a https_client-certificate
- sign the https_client-certificate by the CA
by using the command-line on Linux - openSUSE. I create the CA certificate:
# openssl genrsa -out rootCA.key 2048 Generating RSA private key, 2048 bit long modulus ..........................................................+++ ....................+++ e is 65537 (0x10001) # openssl req -x509 -new -nodes -key rootCA.key -days 3650 -out rootCA.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:AA State or Province Name (full name) [Some-State]:A Locality Name (eg, city) []:A Organization Name (eg, company) [Internet Widgits Pty Ltd]:A Organizational Unit Name (eg, section) []:A Common Name (e.g. server FQDN or YOUR name) []:A Email Address []:A # Works fine. Then I create the https_client-certificate:
# openssl genrsa -out client1.key 2048 Generating RSA private key, 2048 bit long modulus ............................+++ .............................................+++ e is 65537 (0x10001) # # openssl req -x509 -new -nodes -key client1.key -days 3650 -out client1.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:BB State or Province Name (full name) [Some-State]:B Locality Name (eg, city) []:B Organization Name (eg, company) [Internet Widgits Pty Ltd]:B Organizational Unit Name (eg, section) []:B Common Name (e.g. server FQDN or YOUR name) []:B Email Address []:B # Works fine. Now when I try to sign the https_client-certificate with the CA I'm getting some error here:
# openssl ca -in client1.pem -out client11.pem Using configuration from /etc/ssl/openssl.cnf Error opening CA private key ./demoCA/private/cakey.pem 139667082016400:error:02001002:system library:fopen:No such file or directory:bss_file.c:404:fopen('./demoCA/private/cakey.pem','re') 139667082016400:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:406: unable to load CA private key # I already tried:
- using absolute paths ("Error opening CA private key" on Windows)
but no success for me. I read somewhere that specific entered attributes need to be the same entered on CA-creation, but at least when creating certificates on Windows using XCA-Tool this is not correct. I can enter completely different stuff as long as I sign it with CA I can use it. Can someone help me?
Update: I only use .key and .pem because this works for me on Windows using XCA-Tool ... I'm actual reading the openSSL Cookbook (https://www.feistyduck.com/library/openssl-cookbook/online/ch-openssl.html) to see if I did any special wrong. First thought, do I have to use .csr to sign a certificate, or can I do this using any other format too?