Re: LDAP + RADIUS + SSL

[Anderson Alves de Albuquerque <anderson@belem.voip.nce.ufrj.br>]

 You write this line:  openssl rsa -in  newcert.pem -out newkey.pem

 But I have this problem:
---------------------------------------------------------
# openssl rsa -in  newcert.pem -out newkey.pem
unable to load Private Key
30662:error:0906D06C:PEM routines:PEM_read_bio:no start 
line:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem_lib.c:637:Expecting: ANY PRIVATE KEY
-------------------------------------------------------


 Then I have problem, the I wrote this: openssl rsa -in  newreq.pem -out 
newkey.pem


 Is this correct ?








On Fri, 14 Jan 2005, Dieter Kluenter wrote:

> Anderson Alves de Albuquerque <anderson@belem.voip.nce.ufrj.br> writes:
> 
> >   I am listing my steps....
> >
> > - I am doing this steps:
> > % openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 365 
> >
> > % mkdir /var/myca
> > % cd /var/myca/ 
> > % /usr/share/ssl/misc/CA.sh -newca
> >
> > % openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem 
> >
> > % /usr/share/ssl/misc/CA.sh -sign 
> >
> > % cp demoCA/cacert.pem /usr/var/openldap-data/cacert.pem 
> > % mv newcert.pem /usr/var/openldap-data/servercrt.pem 
> > % mv newreq.pem /usr/var/openldap-data/serverkey.pem 
> > % chmod 400 /usr/var/openldap-data/serverkey.pem 
> 
> [...]
> 
> It seems that you have not signed your request with the cacert but
> created a selfsigned servercert. Test with
> openssl x509 -in servercrt.pem -text
> 
> Run testwise slapd -h ldaps:///
> and connect with openssl
> openssl s_client -connect your.server:636 -showcerts
> 
> I would recommend following procedure to create certificates
> - edit openssl.cnf to your requirements
> - ./CA.pl -newca
> - ./CA.pl -newreq
> - ./CA.pl -signreq (which is different from -sign)
> - openssl rsa -in  newcert.pem -out newkey.pem
> - mv newcert.pem servercert.pem
> - mv newkey.pem serverkey.pem
> 
> -Dieter
> 
>