# Cannot make SSL certificate for Postfix + Google Apps

## gilamonster

I'm following the official Virtual Mailhosting System with Postfix Guide, to generate smtpd_tls_key_file, smtpd_tls_cert_file, and smtpd_tls_CAfile for use in the Postfix configuration file.

What I want to do is outsource my email to Google Apps. Google Apps should handle mail for multiple email addresses and multiple domains hosted on my server.

So far, I've unmerged ssmtp, and emerged openssh, cyrus-sasl and postfix (with sasl and ssl USE flags).

I did not do Section 3 of the guide because I don't think I need to emerge courier-imap for this. Could be wrong.

I did not do Section 4 of the guide (configuring SASL), because the default configs looked good enough with PAM handling authentication.

I'm focusing on Section 5: SSL Certs for Postfix and Apache. Here's what I've done.

- Edited /etc/ssl/openssl.cnf

- $ cd /etc/ssl/misc

- $ sudo ./CA.pl -newreq-nodes

- created a challenge password and filled out everything

- $ sudo ./CA.pl -newca

- Bash returns "CA certificate filename (or enter to create)"

- I call it "try-one"

- $ sudo ./CA.pl -sign

... and I get an error message:

```
Using configuration from /etc/ssl/openssl.cnf

unable to load CA private key

140012777240232:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: ANY PRIVATE KEY

Signed certificate is in newcert.pem
```

I have searched for hours, and located two separate threads with interesting solutions. I've tried everything, but none of it is working.

No matter what I do, I keep getting this error:

```
Using configuration from /etc/ssl/openssl.cnf

unable to load CA private key

140012777240232:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: ANY PRIVATE KEY

Signed certificate is in newcert.pem
```

What is going on here? Has anyone successfully set up their Gentoo server with Postfix + Google Apps like this?

----------

## DawgG

 *Quote:*   

> unable to load CA private key ...
> 
> Expecting: ANY PRIVATE KEY 

 

obviously, the ca-script cannot find the private key. make sure all paths are correct in openssl.cnf and verify the files really do exist in the correct place and format.

GOOD LUCK!

----------

## chiefbag

I think you should have a look at the following thread and follow my directions.

https://forums.gentoo.org/viewtopic-t-891858-highlight-.html

----------

## chiefbag

 *Quote:*   

> - I call it "try-one" 

 

Why did you not just hit enter here to create?

----------

