creating ca certificate ...

[AtoB]

Hi all,

in order to secure a webservice I thought I'd create a certificate. Step one creating the CA certificate doens't seem to work:

- I run CreateCACertificate.bat
- I type a password twice

then it seems to go wrong, the follwing is displayed:

Code: [Select]

[color=blue]--- Create Certificate using Private Key
(Please enter the same password you used earlier when asked to do so)

WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Unable to load config info from /usr/local/ssl/openssl.cnf


--- Display Certificate

WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Error opening Certificate .\YourCARoot\cacert\YourCA.crt
5612:error:02001002:system library:fopen:No such file or directory:.\crypto\bio\bss_file.c:391:fopen('.\YourCARoot\cacert\YourCA.crt','rb')
5612:error:20074002:BIO routines:FILE_CTRL:system lib:.\crypto\bio\bss_file.c:393:
unable to load certificate
[/color]

It looks like a "openssl.cnf" file is missing somehow, at least I cannot find it ... I'm not getting (for example) a country code to billed in ...

- is this file required?
- are there any other requirements for this batch to complete?

TIA,
Ton

[Bruce]

check your Command Prompt (DOS) environment for a setting;

OPENSSL_CONF=C:\OpenSSL\bin\openssl.cfg

If this exists, then the filename needs to be valid. If you're not sure, clear the setting
SET OPENSSL_CONF=

and run the batch file again.

cheers
Bruce

[AtoB]

Hi Bruce,

just found out that I needed to install OpenSSL first, I wrongly assumed it was part of the os ... got my CA certificate!

Now diving into the next steps :-)

regards,
Ton

[Bruce]

Hi Ton,

>> just found out that I needed to install OpenSSL first,

you don't need to install OpenSSL - but yes, if you do, that's another way to reset the OPENSSL_CONF setting.

cheers
Bruce

[CaseyR]

Hi, Bruce

A few years and couple of machines ago,  I was able to use OpenSSL to self certify  and to create a CSR's.   A client's issue prompted me to work with it again and I encountered the problems Ton found.  Neither using SET to clear the environment nor reinstalling OpenSSL fixed the problem, but I did find an earlier suggestion to simply create a usr\local\ssl folder and copy and rename the openssl.conf to openssl.cnf.  It works, but seems pretty kludgy as long term solution,  I was wondering if we could go over the location and settings for how OpenSSL should work at the next NT User group meeting.  One question, for example, are there differences between 32 bit and 64 bit Windows implementation.           

[Bruce]

good question Casey - please bring it up on Thursday.

cheers
Bruce