[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: LDAP + RADIUS + SSL
You write this line: openssl rsa -in newcert.pem -out newkey.pem
But I have this problem:
---------------------------------------------------------
# openssl rsa -in newcert.pem -out newkey.pem
unable to load Private Key
30662:error:0906D06C:PEM routines:PEM_read_bio:no start
line:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem_lib.c:637:Expecting: ANY PRIVATE KEY
-------------------------------------------------------
Then I have problem, the I wrote this: openssl rsa -in newreq.pem -out
newkey.pem
Is this correct ?
On Fri, 14 Jan 2005, Dieter Kluenter wrote:
> Anderson Alves de Albuquerque <anderson@belem.voip.nce.ufrj.br> writes:
>
> > I am listing my steps....
> >
> > - I am doing this steps:
> > % openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 365
> >
> > % mkdir /var/myca
> > % cd /var/myca/
> > % /usr/share/ssl/misc/CA.sh -newca
> >
> > % openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
> >
> > % /usr/share/ssl/misc/CA.sh -sign
> >
> > % cp demoCA/cacert.pem /usr/var/openldap-data/cacert.pem
> > % mv newcert.pem /usr/var/openldap-data/servercrt.pem
> > % mv newreq.pem /usr/var/openldap-data/serverkey.pem
> > % chmod 400 /usr/var/openldap-data/serverkey.pem
>
> [...]
>
> It seems that you have not signed your request with the cacert but
> created a selfsigned servercert. Test with
> openssl x509 -in servercrt.pem -text
>
> Run testwise slapd -h ldaps:///
> and connect with openssl
> openssl s_client -connect your.server:636 -showcerts
>
> I would recommend following procedure to create certificates
> - edit openssl.cnf to your requirements
> - ./CA.pl -newca
> - ./CA.pl -newreq
> - ./CA.pl -signreq (which is different from -sign)
> - openssl rsa -in newcert.pem -out newkey.pem
> - mv newcert.pem servercert.pem
> - mv newkey.pem serverkey.pem
>
> -Dieter
>
>