# [solved] unable to load CA private key

## arkas

Hello,

i`m setting up a mail server and have a problem with SMTP authentication and SSL Support.

I did everything according to the instructions from this manual: http://en.gentoo-wiki.com/wiki/Complete_Virtual_Mail_Server/SMTP_Authentication

I want to generate a self-signed certificate and have the following error:

# /etc/ssl/misc/CA.pl -sign

```

Using configuration from /etc/ssl/openssl.cnf

unable to load CA private key

140676492514984:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: ANY PRIVATE KEY

Signed certificate is in newcert.pem

```

newcert.pem doesn`t exist!!

Thanks for the help.Last edited by arkas on Tue Feb 22, 2011 8:45 am; edited 1 time in total

----------

## chiefbag

Do you have a file called "serial" in the default ssl directory that you are trying to create the cert?

This should have a value of "01" in it.

Also you should have a file called "openssl.cnf"

You need to create a file called "index.txt" also

Also you may need to export the SSL directory for example as below:

export SSLDIR=/etc/ssl

----------

## arkas

sorry, i`m relatively new....

I`t trying to do this in /etc/postfix!!

In this folder is neither a serial file nore a openssl.cnf file!!

Where do i find these files?

Or should i only create them?

The index.txt file only have to exist?

Or do i have to write someting in it?

and the ssl directory in my case as:

export SSLDIR=/etc/postfix ?

Thanks...

----------

## chiefbag

Try the following commands as root:

cd /etc/postfix

/etc/ssl/misc/CA.pl -newca 

#enter hostname for all fields eg as below demo should match

openssl req -new -nodes -subj '/CN=demo/O=demo/C=IE/ST=demo/L=demo/emailAddress=demo' -keyout FOO-key.pem -out FOO-req.pem -days 3650 

openssl ca -out FOO-cert.pem -infiles FOO-req.pem 

cp demoCA/cacert.pem .

chmod 644 /etc/postfix/FOO-cert.pem /etc/postfix/cacert.pem 

chmod 400 /etc/postfix/FOO-key.pem

----------

## arkas

I have done the following as root:

# cd /etc/postfix

# /etc/ssl/misc/CA.pl -newca

# openssl req -new -nodes -keyout FOO-key.pem -out FOO-req.pem -days 3650

# openssl ca -out FOO-cert.pem -infiles FOO-req.pem

after the last command was the following error:

```

Using configuration from /etc/ssl/openssl.cnf

unable to load CA private key

139805840819880:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: ANY PRIVATE KEY

```

With which command is the file named cakey.pem created?

I think at this stage goes something wrong!!

Because I have read the config-file /etc/ssl/openssl.cnf and it looks good but that does not necessarily mean that it is so!!

/etc/ssl/openssl.cnf:

```

...

[ CA_default ]

dir                         = ./demoCA              # Where everything is kept

certs                      = $dir/certs            # Where the issued certs are kept

crl_dir                    = $dir/crl              # Where the issued crl are kept

database                = $dir/index.txt        # database index file.

#unique_subject      = no                    # Set to 'no' to allow creation of

                                                        # several ctificates with same subject.

new_certs_dir         = $dir/newcerts         # default place for new certs.

certificate               = $dir/cacert.pem       # The CA certificate

serial                     = $dir/serial           # The current serial number

crlnumber              = $dir/crlnumber        # the current crl number

                                                             # must be commented out to leave a V1 CRL

crl                          = $dir/crl.pem          # The current CRL

#private_key          = ./cakey.pem          # The private key

private_key            = $dir/private/cakey.pem

RANDFILE               = $dir/private/.rand    # private random number file

x509_extensions      = usr_cert              # The extentions to add to the cert

# Comment out the following two lines for the "traditional"

# (and highly broken) format.

name_opt        = ca_default            # Subject Name options

...

```

And the file exists in said path!!

 :Crying or Very sad: 

----------

## chiefbag

 *Quote:*   

> With which command is the file named cakey.pem created?
> 
> I think at this stage goes something wrong!! 

 

cakey.pem is created with the first command this is the output you should receive as below.

I know I suggested setting your SSLDIR in a previous post however this is not needed, try removing this if you have set it.

gen-vm postfix # ls -altr demoCA/private/cakey.pem

ls: cannot access demoCA/private/cakey.pem: No such file or directory

gen-vm postfix # /etc/ssl/misc/CA.pl -newca 

CA certificate filename (or enter to create)

Making CA certificate ...

Generating a 1024 bit RSA private key

.............++++++

........................................++++++

writing new private key to './demoCA/private/cakey.pem'

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:IE

State or Province Name (full name) [Some-State]:demo

Locality Name (eg, city) []:demo

Organization Name (eg, company) [Internet Widgits Pty Ltd]:demo

Organizational Unit Name (eg, section) []:demo

Common Name (eg, YOUR name) []:demo

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /etc/ssl/openssl.cnf

Enter pass phrase for ./demoCA/private/cakey.pem:

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number:

            fb:d2:0b:f7:28:54:37:40

        Validity

            Not Before: Feb 18 09:21:48 2011 GMT

            Not After : Feb 17 09:21:48 2014 GMT

        Subject:

            countryName               = IE

            stateOrProvinceName       = demo

            organizationName          = demo

            organizationalUnitName    = demo

            commonName                = demo

        X509v3 extensions:

            X509v3 Subject Key Identifier: 

                80:7C:B5:6A:13:2A:55:CE:36:51:C8:FA:E7:D4:12:EE:68:47:CF:47

            X509v3 Authority Key Identifier: 

                keyid:80:7C:B5:6A:13:2A:55:CE:36:51:C8:FA:E7:D4:12:EE:68:47:CF:47

            X509v3 Basic Constraints: 

                CA:TRUE

Certificate is to be certified until Feb 17 09:21:48 2014 GMT (1095 days)

Write out database with 1 new entries

Data Base Updated

gen-vm postfix # ls -altr demoCA/private/cakey.pem

-rw-r--r-- 1 root root 1041 Feb 18 09:21 demoCA/private/cakey.pem

----------

## arkas

hm,

I haven`t set the ssl dir!!

Furthemore I have no output after the command!!

(17:10:56) gero postfix # /etc/ssl/misc/CA.pl -newca

(17:11:03) gero postfix #

 :Smile: 

What should I do?

----------

## chiefbag

This is curious!

what is the output of:

locate CA.pl

Did you accidently delete this file or files?

Try re emerging openssl

emerge -va openssl

----------

## arkas

(19:30:56) gero ~ # locate CA.pl

/etc/ssl/misc/CA.pl

/usr/share/man/man1/openssl-CA.pl.1ssl.bz2

/usr/share/man/man1/ssl-CA.pl.1ssl.bz2

reemerging openssl as follows:

```

These are the packages that would be merged, in reverse order:

Calculating dependencies... done!

[ebuild   R   ] dev-libs/openssl-1.0.0d  USE="gmp (sse2) zlib -bindist -kerberos -rfc3779 -test" 0 kB

Total: 1 package (1 reinstall), Size of downloads: 0 kB

```

Then I have deleted the file ./demoCA/private/cakey.pem

(20:14:56) gero private # cd /etc/postfix/

(20:16:0 :Cool:  gero postfix # /etc/ssl/misc/CA.pl -newca

```

CA certificate filename (or enter to create)

Making CA certificate ...

Generating a 1024 bit RSA private key

....++++++

...................++++++

writing new private key to './demoCA/private/cakey.pem'

Enter PEM pass phrase:

140698967770792:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:869:You must type in 4 to 1024 characters

140698967770792:error:0906406D:PEM routines:PEM_def_callback:problems getting password:pem_lib.c:111:

140698967770792:error:0907E06F:PEM routines:DO_PK8PKEY:read key:pem_pk8.c:130:

Using configuration from /etc/ssl/openssl.cnf

unable to load CA private key

140393571014312:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: ANY PRIVATE KEY

```

Last edited by arkas on Fri Feb 18, 2011 8:17 pm; edited 1 time in total

----------

## chiefbag

It looks like your passpharse is less then 4 characters from the error message. 

try using a word like password.

----------

## arkas

a friend told me, to leave that blank!!

Is it unsave to use a pass phrase?

Or what is doing this at all?

----------

## chiefbag

Maybe you should have asked your friend about the error message!

Enter a passpharse this is standard practice when creating any CA

----------

## arkas

ok...

Do I have to remember this pass phrase?

----------

## chiefbag

@arkas 

Yes this is vital but you only need to remember it for a few seconds until you sign the requested cert. 

I dont mean to be sarcastic, if you have any technical questions fair enough but please try and use some common sense.

----------

## arkas

I'm sorry, I did not know much about when it comes to this subject.

I only want to learn some things!!

In any case, I thank you a lot!

Unless it works!!

----------

## chiefbag

@arkas

No problem.

"The day that one thinks they know it all is the day after one should have died". 

One tip for future is to post all of the error message from the start of the post, this saves time for everyone. 

Please mark this thread solved. 

If you need a full postfix How To let me know.

----------

## Aileencita

I had a problem with my certificate because I left passphrase in blank, so then I could not generate another certificate or open the current one  :Sad: 

I tried deleting the cakey.pem from your $dir/CA/private

First at all check your openssl.cnf in CentOs is in /etc/pki/tls/openssl.cnf. Check the value dir=xxxxxxx

Enter in that path (example: /etc/pki/tls/openssl.cnf) and check $dir

Enter in $dir (example: /etc/pki/CA) and find /private

Deletes the key file cakey.pem

Now, everything should going back to normally.

Try to generate your Certificate again (example: $/etc/pki/tls/misc/CA -newca) and That's it!!!

Good luck and I hope this post will be helpful!   :Very Happy: 

----------

