# HELP - cannot make self-signed cert for postfix - SOLVED

## Moriah

This topic has appeared here in the past, but always with different variations.  Last post I could find was 2 years ago.    :Sad: 

After 18 years of running sendmail, I am building a new mail server with postfix by following:

http://www.gentoo.org/doc/en/virt-mail-howto.xml

When I get to the section named "5.  SSL Certs for Postfix and Apache", I followed the directions:

```

# cd misc

# ./CA.pl -newreq-nodes

# ./CA.pl -newca

# ./CA.pl -sign

# cp newcert.pem /etc/postfix

# cp newkey.pem /etc/postfix

# cp demoCA/cacert.pem /etc/postfix

```

But the copy operations fail because:

```

hophni misc # cd /etc/ssl/misc

hophni misc # ./CA.pl -newreq-nodes

Generating a 1024 bit RSA private key

...............++++++

.......................++++++

writing new private key to 'newkey.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [US]:

State or Province Name (full name) [KY]:

Locality Name [Warsaw]:

Organization Name [Elijah Laboratories Inc.]:

Organizational Unit Name (eg, section) []:

Common Name (e.g. server FQDN or YOUR name) [elilabs.com]:

Email Address [root@elilabs.com]:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Request is in newreq.pem, private key is in newkey.pem

hophni misc # ./CA.pl -newca

hophni misc # ./CA.pl -sign

Using configuration from /etc/ssl/openssl.cnf

unable to load CA private key

140398339446440:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: ANY PRIVATE KEY

Signed certificate is in newcert.pem

hophni misc # ls -latr

total 48

-rwxr-xr-x 1 root root 6419 Jun 10 12:58 tsget

-rwxr-xr-x 1 root root  110 Jun 10 12:58 c_name

-rwxr-xr-x 1 root root  112 Jun 10 12:58 c_issuer

-rwxr-xr-x 1 root root  152 Jun 10 12:58 c_info

-rwxr-xr-x 1 root root  119 Jun 10 12:58 c_hash

-rwxr-xr-x 1 root root 5175 Jun 10 12:58 CA.sh

-rwxr-xr-x 1 root root 5679 Jun 10 12:58 CA.pl

drwxr-xr-x 6 root root   94 Jun 10 20:36 ..

drwxr-xr-x 6 root root   89 Jun 10 20:37 demoCA

-rw-r--r-- 1 root root  692 Jun 10 21:44 newreq.pem

-rw-r--r-- 1 root root  916 Jun 10 21:44 newkey.pem

drwxr-xr-x 3 root root  143 Jun 10 21:44 .

hophni misc # find . -name 'newcert.pem' -print

hophni misc # 

```

As you can see, it lied when it said, "Signed certificate is in newcert.pem"; there is no newcert.pem   :Exclamation: 

So what bit rot has occurred since the Guide was written   :Question: 

The problem seems to be "unable to load CA private key", but why, and what is the fix   :Question: 

----------

## DawgG

i haven't done this with postfix lately (only with apache, squid), but i found it best to put sensible values into openssl.cnf before running CA.pl.

just back up the original one and write the stuff you need into the new one (can also save quite a bit of typing)

 *Quote:*   

> 140398339446440:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: ANY PRIVATE KEY

 

oh yes, those openssl-errors look scary, but usually it's just "file not found" because some (preset) paths are wrong.

GOOD LUCK!

----------

## Moriah

This was solved in another thread.

See:

https://forums.gentoo.org/viewtopic-t-962516-highlight-.html?sid=f99188c8008f07f13904914e1916f343

----------

