# Problem signing a SSL CA certificate

## dman777

I created a SSL CA certificate. Now I am trying to sign it, but I get an error it where it can not find the passkey. What am I doing wrong?

```
 localhost three # open ssl req -new -nodes -subj '/C=US/ST=Texas/L=Austin' -keyout FOO-key.pem -out FOO-req.pem -days 1095

bash: open: command not found

localhost three # openssl req -new -nodes -subj '/C=US/ST=Texas/L=Austin' -keyout FOO-key.pem -out FOO-req.pem -days 1095

Generating a 1024 bit RSA private key

...++++++

.................++++++

writing new private key to 'FOO-key.pem'

-----

localhost three # openssl ca -out FOO-cert.pem -infiles FOO-req.pem

Using configuration from /etc/ssl/openssl.cnf

Error opening CA private key ./demoCA/private/cakey.pem

13193:error:02001002:system library:fopen:No such file or directory:bss_file.c:356:fopen('./demoCA/private/cakey.pem','r')

13193:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:358:

unable to load CA private key

localhost three # 

```

----------

## John R. Graham

First command should be "openssl", not "open ssl".    :Razz: 

- John

----------

## tuber

Try 

```
openssl ca -out FOO-cert.pem -infiles FOO-req.pem -keyfile FOO-key.pem
```

 *dman777 wrote:*   

> localhost three # openssl ca -out FOO-cert.pem -infiles FOO-req.pem
> 
> Using configuration from /etc/ssl/openssl.cnf
> 
> Error opening CA private key ./demoCA/private/cakey.pem
> ...

 

----------

## Hu

You may want to use GnuTLS for this instead.  It provides certtool to manage certificates, and the info page has a nice step-by-step of how to create a CA, and use it to sign a non-CA certificate.  The certificates created this way should be in a standard form, so you can feed them back into applications using OpenSSL.

----------

## DawgG

i have experienced a very similar error. make sure the paths you are using are exactly the paths stated in openssl.cnf or adapt openssl.cnf to the paths you want to use. stuff like that can also happen if the index or serial.txt-files are missing.

personally, i like a name different from DemoCA.

GOOD LUCK!

----------

