# request some assistance with ssl certificates *fixed!

## taskara

Hi,

I've stopped bashing my head on the desk to post this messge  :Smile: 

I'm following the Home Email Guide as found here, section 3.5, "Postfix TLS Support".

I am trying to create an ssl certificate, and am running into some problems.

I have openssl emerged, and have editted my CA.pl file to say -nodes, as per the instructions. Here is a copy of the relevant section from the file:

```
# create a certificate 

system ("$REQ -new -nodes -x509 -keyout newreq.pem -out newreq.pem $DAYS"); 

$RET=$?; 

print "Certificate (and private key) is in newreq.pem\n" 

} elsif (/^-newreq$/) { 

# create a certificate request 

system ("$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS"); 

$RET=$?; 

print "Request (and private key) is in newreq.pem\n"; 

```

when I run 

```
./CA.pl -newca
```

 from the /etc/ssl/misc directory it asks me for a password:  *Quote:*   

> CA certificate filename (or enter to create)

  I just press enter.

then it continues asking  *Quote:*   

> Making CA certificate ...
> 
> Using configuration from /etc/ssl/openssl.cnf
> 
> Generating a 1024 bit RSA private key
> ...

 

if I just press "enter" it says  *Quote:*   

> Enter PEM pass phrase:
> 
> Verifying password - Enter PEM pass phrase:
> 
> phrase is too short, needs to be at least 4 chars
> ...

 

what do I put in for the PEM pass phrase ?

I tried putting in my password (just to see what would happen) and it continued through this section, and went on to asking me my location and details etc. looked like it all worked.

however the next section of the document says to  *Quote:*   

> cp newcert.pem /etc/postfix

 

but the file does not exist... newreq.pem exists, but not newcert.pem  :Sad: 

so I am at a loss to see what the problem is... if anyone can shed some light, I would be most grateful!! thanks very much  :Smile: 

pleeeeeease anyone??    :Crying or Very sad: 

----------

## taskara

pleeeeeease ...  :Crying or Very sad: 

----------

## taskara

pretty pleeeease?

----------

## Chris W

I would guess that you missed the 

```
# ./CA.pl -sign
```

 step that creates the newcert.pem file.

As for the passphrase, have you tried entering something?

----------

## taskara

hi chris, thanks!

in the instructions /.CA.pl -sign comes as the last step..

I did try putting in my password when it asked for one, and it continued without error, but then I couldn't find the file...

so I'm kinda at a loss as to what to do.. I'll try again, and if you like I can post everything it does step by step ?

----------

## taskara

btw dude, you are in Canberra!  :Smile:  I'm in Canberra too  :Smile: 

----------

## taskara

**EDIT - this is NOT fixed  :Sad: 

well problem appears to be fixed.. I don't know what was stopping it from working b4, but I tried doing exactly what I have done the last 10 times again. This time when I did an emerge -U world, it installed one new app that wasn't there b4, something about ip.. anyway here's what I did (as I have done the last 10 times!!)

```
emerge -C openssl

rm -fR /etc/ssl/

emerge rsync

emerge -U world

emerge openssl

nano -w /etc/ssl/misc/CA.pl (add "-nodes" and save)

cd /etc/ssl/misc
```

 then I ran the command to create the new certificate

```
./CA.pl -newcert

Using configuration from /etc/ssl/openssl.cnf

Generating a 1024 bit RSA private key

...++++++

....................++++++

writing new private key to 'newreq.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:

State or Province Name (full name) [Some-State]:ACT

Locality Name (eg, city) []:Canberra

Organization Name (eg, company) [Internet Widgits Pty Ltd]:SmartClan

Organizational Unit Name (eg, section) []:Family

Common Name (eg, YOUR name) []:Chris

Email Address []:root@localhost

Certificate (and private key) is in newreq.pem

```

 and as you can see it worked 

```
root@server misc # ls newreq.pem

newreq.pem
```

so I don't know why it worked today.. but it did..

no wonder it was so frustrating, and no wonder no one helped me :S

ONE THING THO I kept asking people whether "when I ran ./CA.pl -newcert" I should get a question asking for a password?

no-one ever replied

so I'm here to tell anyone else out there, that NO it should not as for a password or PEM Passphrase, it shoudl work exactly as you see above.

hope this can help some other poor fool

thanks to everyone for their input, I really appreciate it!  :Smile:  YAY onto the next step!

----------

## taskara

ARGH

no it's not fixed.. I must be stupid. When I run ./CA.pl it creates newreq.pem NOT newcert.pem

anyway here is the entire process incase someone cares to go through it and see what I'm doing wrong.. 

```
root@server misc # ./CA.pl -newcert

Using configuration from /etc/ssl/openssl.cnf

Generating a 1024 bit RSA private key

...++++++

....................++++++

writing new private key to 'newreq.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:

State or Province Name (full name) [Some-State]:ACT

Locality Name (eg, city) []:Canberra

Organization Name (eg, company) [Internet Widgits Pty Ltd]:SmartClan

Organizational Unit Name (eg, section) []:Family

Common Name (eg, YOUR name) []:Chris

Email Address []:root@localhost

Certificate (and private key) is in newreq.pem
```

```
root@server misc # ls

CA.pl  CA.sh  c_hash  c_info  c_issuer  c_name  der_chop  newreq.pem
```

```
root@server misc # ls newreq.pem

newreq.pem
```

```
root@server misc # ls newcert.pem

ls: newcert.pem: No such file or directory
```

```
root@server misc # ./CA.pl -newreq

Using configuration from /etc/ssl/openssl.cnf

Generating a 1024 bit RSA private key

....++++++

............................................................++++++

writing new private key to 'newreq.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:

State or Province Name (full name) [Some-State]:ACT

Locality Name (eg, city) []:Canberra

Organization Name (eg, company) [Internet Widgits Pty Ltd]:SmartClan

Organizational Unit Name (eg, section) []:Family

Common Name (eg, YOUR name) []:Chris

Email Address []:root@localhost

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Request (and private key) is in newreq.pem
```

```
root@server misc # ./CA.pl -sign

Using configuration from /etc/ssl/openssl.cnf

./demoCA/private/cakey.pem: No such file or directory

trying to load CA private key

21227:error:02001002:system library:fopen:No such file or directory:bss_file.c:245:fopen('./demoCA/private/cakey.pem','r')

21227:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:247:

Signed certificate is in newcert.pem
```

```
root@server misc # ls

CA.pl  CA.sh  c_hash  c_info  c_issuer  c_name  der_chop  newreq.pem

```

it looks to me like ./CA.pl -newcert is doing the SAME THING as ./CA.pl -newcert

so is there something I have to change in the /etc/ssl/misc/CA.pl file ?

here it is  *Quote:*   

>             # create a certificate
> 
>             system ("$REQ -new -nodes -x509 -keyout newreq.pem -out newreq.pem $DAYS");
> 
>             $RET=$?;
> ...

 

I notice the printout is newreq.pem for BOTH commands.. sigh..

any thoughts?

thanks

----------

## Chris W

The instructions don't require you to run ./CA.pl -newcert?!  From the instructions: 

```
root@server # cd /etc/ssl/misc

(1) root@server # ./CA.pl -newca

(2) root@server # ./CA.pl -newreq

(3) root@server # ./CA.pl -sign

root@server # cp newcert.pem /etc/postfix

root@server # cp newreq.pem /etc/postfix

root@server # cp demoCA/cacert.pem /etc/postfix
```

Step (1) should create the cakey.pem it is complaining about.  I think you're misreading this command as ./CA.pl -newcert (as I did last night).

Step (2) creates a request for the CA to certify (newreq.pem)

Step (3) self-signs the request to create a certificate (newcert.pem).

 *Quote:*   

> it looks to me like ./CA.pl -newcert is doing the SAME THING as ./CA.pl -newcert 

 

I would hope so  :Smile: 

There's no need to emerge any of the software, just rerun the steps.

----------

## taskara

HAHAHAHA... I hope that is all it was.. and I sort of hope it wasn't  :Wink: 

well I've run it again, and here's the output: 

```
root@server misc # ./CA.pl -newca

CA certificate filename (or enter to create)

Making CA certificate ...

Using configuration from /etc/ssl/openssl.cnf

Generating a 1024 bit RSA private key

................++++++

............++++++

writing new private key to './demoCA/private/cakey.pem'

Enter PEM pass phrase:

Verifying password - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:

State or Province Name (full name) [Some-State]:ACT

Locality Name (eg, city) []:Canberra

Organization Name (eg, company) [Internet Widgits Pty Ltd]:SmartClan

Organizational Unit Name (eg, section) []:Family

Common Name (eg, YOUR name) []:Chris

Email Address []:root@localhost

root@server misc #

```

then I run ./CA.pl -newreq and ./CA.pl -sign and hey what do you know.. it all works.

I originally got stuck when I ran ./CA.pl - newca it was asking for a password and pem phrase (as you can see above) and everyone said it should not ask anything. so I got confused and no-one would tell me what to put in there.

then as it got later in the night, and days pased -newca became -newcert lol  :Wink: 

I'll buy you a beer or two sometime  :Wink: 

thanks soo so sosososoooo much  :Very Happy: 

----------

## taskara

as you can see up the top, I was running ./CA.pl -newca  :Wink: 

even so, they should screen out idiots like me from using gentoo :S

anyway, this time when I en-emerged openssl I rebooted.. the other times I didn't..

which was good cause it stopped ssh from working. b4 ssh was running and using the ssl libraries.. maybe that affected something.. I dunno..

anyway thanks heaps for your help  :Smile: 

----------

