[SR-Users] help to fix bug in TLS module.

peter_green lion betergreen at live.com
Fri Sep 3 12:29:28 CEST 2010 

hi all,
I have configure to use TLS module,but i have a problem in step : create key.

i follow these step:

Creating CA certificate
-----------------------
1. create CA dir
	mkdir ca
	cd ca
	
2. create ca dir structure and files  (see ca(1))
	mkdir demoCA #default CA name, edit /etc/ss/openssl.cnf
	mkdir  demoCA/private
	mkdir demoCA/newcerts
	touch demoCA/index.txt
	echo 01 >demoCA/serial
	
2. create CA private key
	openssl genrsa -out demoCA/private/cakey.pem 2048
	chmod 600 demoCA/private/cakey.pem
	
3. create CA self-signed certificate
	openssl req -out demoCA/cacert.pem   -x509 -new -key demoCA/private/cakey.pem


Creating a server/client certificate
------------------------------------
1. create a certificate request (and its private key in privkey.pem)
	openssl req -out ser1_cert_req.pem -new -nodes
   WARNING: the organization name should be the same as in the ca certificate.
	
2. sign it with the ca certificate
	openssl ca -in ser1_cert_req.pem -out ser1_cert.pem
	
3. copy ser1_cert.pem to your ser config. dir


Setting ser to use the certificate
----------------------------------
1. create the ca list file:
	for each of your ca certificates that you intend to use do:
		cat cacert.pem >>calist.pem
	
2. copy your ser certificate, private key and ca list file to your 
	intended machine (preferably in your ser cfg. directory, this is the 
	default place ser searches for)
	
3. set up ser.cfg to use the certificate
	if your ser certificate name is different from cert.pem or it is not
	placed in ser cfg. directory, add to your ser.cfg:
		modparam("tls", "certificate", "/path/cert_file_name")
	
4. set up ser to use the private key
	if your private key is not contained in the certificate (or the
	 certificate name is not the default cert.pem), add to your ser.cfg:
		modparam("tls", "private_key", "/path/private_key_file")
	
5. set up ser to use the ca list (optional)
	add to your ser.cfg:
		modparam("tls", "ca_list", "/path/ca_list_file")
	
6. set up tls authentication options:
		modparam("tls", "verify_certificate", 1)
		modparam("tls", "require_certificate", 1) 
	(for more information see the module parameters documentation)

but in step : 2. sign it with the ca certificate(command :openssl ca -in ser1_cert_req.pem -out ser1_cert.pe
)
i have error and it openssl can not make file "ser1_cert.pem
"

the error is :

[root at appliance ca]# openssl ca -in ser1_cert_req.pem -out ser1_cert.pem
Using configuration from /etc/pki/tls/openssl.cnf
Error opening CA private key ../../CA/private/cakey.pem
15231:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('../../CA/private/cakey.pem','r')
15231:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
unable to load CA private key


please help me to fix it, or suggest to check and make it work.
thanks all.

Peter green
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20100903/5afcab94/attachment.htm>

More information about the sr-users mailing list