# Help setting up SSL certs for postfix/apache.

## mpicklesimer

Configuring postfix for mail server, ran into a problem a few minutes ago and I can't seem to figure my way out of it. Following this guide

http://www.gentoo.org/doc/en/virt-mail-howto.xml

I get to step 5, and get the following output instead of what I expected:

```
camaro misc # ./CA.pl -newreq-nodes

Generating a 1024 bit RSA private key

....++++++

................++++++

writing new private key to 'newkey.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

US [US]:

MA [MA]:

West Roxbury []:West Roxbury

Massachusetts Computing Solutions [Massachusetts Computing Solutions]:

Massachusetts Computing Solutions []:Massachusetts Computing Solutions

Matthew Picklesimer []:Matthew Picklesimer

postmaster@masscs.com []:postmaster@masscs.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A different challenge password []:<password>

Massachusetts Computing Solutions []:Massachusetts Computing Solutions

Request is in newreq.pem, private key is in newkey.pem

camaro misc # ./CA.pl -newca

camaro misc # ./CA.pl -sign

Using configuration from /etc/ssl/openssl.cnf

Enter pass phrase for ./demoCA/private/cakey.pem:<password>

Error opening CA certificate ./demoCA/cacert.pem

13047:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('./demoCA/cacert.pem','r')

13047:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:

unable to load certificate

Signed certificate is in newcert.pem

camaro misc #
```

Can't continue with the next step until I get this straightened out. I'm running the absolute latest stable version of everything in question. Anyone have any ideas?[/url]

----------

## smerf

Have you configured your CA? Or you just want to use self-signed certificate?

----------

## mpicklesimer

I'm just using the self-signed. Only need it for myself, no one else will be using this site, so it's all good.

----------

## smerf

I think that these two steps:

```
# ./CA.pl -newreq-nodes

# ./CA.pl -newca
```

should go in reversed order: first create CA, then certificate request, then make a signature.

http://www.phildev.net/ssl/

http://www.octaldream.com/~scottm/talks/ssl/opensslca.html

----------

## Peach

I don't know if this is the right procedure:

```
# cd /etc/ssl/misc/

# rm -rf demoCA

# ./CA.pl -newreq-nodes

# ./CA.pl -newca

# ./CA.pl -sign
```

this solved it

----------

