# HELP - virt-mail-howto fails making certs - SOLVED

## Moriah

This post is almost a duplicate of: 

https://forums.gentoo.org/viewtopic-t-961704-highlight-.html?sid=cdeca8d7132fad13b4085d02b5221302

In a nutshell:

```

hophni courier-imap # cd /etc/ssl/

hophni ssl # cd misc

hophni misc # ./CA.pl -newreq-nodes

Generating a 1024 bit RSA private key

.............................++++++

....................................................++++++

writing new private key to 'newkey.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [US]:

State or Province Name (full name) [KY]:

Locality Name [Warsaw]:

Organization Name [Elijah Laboratories Inc.]:

Organizational Unit Name (eg, section) []:

Common Name (e.g. server FQDN or YOUR name) [elilabs.com]:

Email Address [root@elilabs.com]:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Request is in newreq.pem, private key is in newkey.pem

hophni misc # ./CA.pl -newca

hophni misc # ./CA.pl -sign

Using configuration from /etc/ssl/openssl.cnf

unable to load CA private key

139656827946664:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: ANY PRIVATE KEY

Signed certificate is in newcert.pem

hophni misc # updatedb

hophni misc # locate newcert.pem

hophni misc # 

```

So something is buggered up in CA.pl -sign, and the error message is a programmer's debug printf, not something meaningful to anyone else.  Can anyone decrypt the above error message and figure out how to make CA.pl -sign happy?  Looks like it wants some kind of private key...    :Confused: 

----------

## Moriah

Apparently, the directions in the howto at:

http://www.gentoo.org/doc/en/virt-mail-howto.xml

omitted a step.    :Evil or Very Mad: 

By examining the CA.pl script (which was a hack over 15 years ago that is still with us!), I saw that ./CA.pl -newcert was required after ./CA.pl -newca before ./CA.pl -sign.  Once I did that, it all worked.

Lets get someone to fix the docs at the above URL, Please!    :Rolling Eyes: 

----------

