# OpenSSL Cert problems

## MrMullen

I am trying to generate a new cert so I can use sasl with postfix to send mail (Imap with SSL will come later). However when I try to generate a cert, I get this problem (Note: Problem is at the bottom of the list):

root@church misc # ./CA.pl  -newca

CA certificate filename (or enter to create)

Making CA certificate ...

Using configuration from /etc/ssl/openssl.cnf

Generating a 1024 bit RSA private key

.........................++++++

.................++++++

writing new private key to './demoCA/private/cakey.pem'

Enter PEM pass phrase:

Verifying password - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

US []:

State or Province Name (full name) [Some-State]:California

Locality Name (eg, city) []:Chico

Organization Name (eg, company) [Internet Widgits Pty Ltd]:blank

Organizational Unit Name (eg, section) [Mailserver]:

mail.stjohnchico.org []:

postmaster@stjohnchico.org []:

root@church misc # ./CA.pl -newreq

Using configuration from /etc/ssl/openssl.cnf

Generating a 1024 bit RSA private key

............++++++

..................++++++

writing new private key to 'newreq.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

US []:

State or Province Name (full name) [Some-State]:California

Locality Name (eg, city) []:Chico

Organization Name (eg, company) [Internet Widgits Pty Ltd]:blank

Organizational Unit Name (eg, section) [Mailserver]:

mail.stjohnchico.org []:

postmaster@stjohnchico.org []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Request (and private key) is in newreq.pem

root@church misc # ./CA.pl -sign

Using configuration from /etc/ssl/openssl.cnf

Enter PEM pass phrase:

Check that the request matches the signature

Signature ok

The Subjects Distinguished Name is as follows

stateOrProvinceName   :PRINTABLE:'California'

localityName          :PRINTABLE:'Chico'

organizationName      :PRINTABLE:'blank'

organizationalUnitName:PRINTABLE:'Mailserver'

US:invalid type in 'policy' configuration

Signed certificate is in newcert.pem

Here is a ls -la of the /etc/ssl/misc dir. Note the zero size newcert.pem

root@ misc # ls -la

total 19

drwxr-xr-x    3 root     root         1024 Nov 21 13:07 .

drwxr-xr-x    7 root     root         1024 Nov 21 08:22 ..

-rwxr-xr-x    1 root     root         5227 Nov 21 08:24 CA.pl

-rwxr-xr-x    1 root     root         3505 Oct 17 10:52 CA.sh

-rwxr-xr-x    1 root     root          119 Oct 17 10:52 c_hash

-rwxr-xr-x    1 root     root          152 Oct 17 10:52 c_info

-rwxr-xr-x    1 root     root          113 Oct 17 10:52 c_issuer

-rwxr-xr-x    1 root     root          110 Oct 17 10:52 c_name

drwxr-xr-x    6 root     root         1024 Nov 21 13:07 demoCA

-rw-r--r--    1 root     root            0 Nov 21 13:07 newcert.pem

-rw-r--r--    1 root     root         1498 Nov 21 13:07 newreq.pem

root@ misc #

Anyone has any ideas, let me know. I have a rather straight forward regular config.

----------

## MrMullen

found the solution.

Read:

http://marc.theaimsgroup.com/?l=openssl-users&m=103596554809285&w=2

----------

