From owner-freebsd-questions@FreeBSD.ORG Sat Jul 21 15:59:26 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 67F3E1065694 for ; Sat, 21 Jul 2012 15:59:26 +0000 (UTC) (envelope-from guru@unixarea.de) Received: from ms16-1.1blu.de (ms16-1.1blu.de [89.202.0.34]) by mx1.freebsd.org (Postfix) with ESMTP id ED3908FC0A for ; Sat, 21 Jul 2012 15:59:25 +0000 (UTC) Received: from [93.104.2.248] (helo=localhost.my.domain) by ms16-1.1blu.de with esmtpsa (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1Ssc5U-000526-KF for freebsd-questions@freebsd.org; Sat, 21 Jul 2012 17:59:24 +0200 Received: from localhost.my.domain (localhost [127.0.0.1]) by localhost.my.domain (8.14.4/8.14.3) with ESMTP id q6LFxNQ7004806 for ; Sat, 21 Jul 2012 17:59:23 +0200 (CEST) (envelope-from guru@unixarea.de) Received: (from guru@localhost) by localhost.my.domain (8.14.4/8.14.3/Submit) id q6LFxM1S004805 for freebsd-questions@freebsd.org; Sat, 21 Jul 2012 17:59:22 +0200 (CEST) (envelope-from guru@unixarea.de) X-Authentication-Warning: localhost.my.domain: guru set sender to guru@unixarea.de using -f Date: Sat, 21 Jul 2012 17:59:22 +0200 From: Matthias Apitz To: freebsd-questions@freebsd.org Message-ID: <20120721155922.GA4774@tinyCurrent> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Operating-System: FreeBSD 9.0-CURRENT r214444 (i386) User-Agent: Mutt/1.5.21 (2010-09-15) X-Con-Id: 51246 X-Con-U: 0-guru X-Originating-IP: 93.104.2.248 Subject: setting up an openssl client/server X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Matthias Apitz List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jul 2012 15:59:26 -0000 Hello, I'm trying to build openssl keys to be used in a client/server connection by the following procedure: http://acs.lbl.gov/~boverhof/openssl_certs.html Generating Client/Server certificates with a local CA Generate a CA 1) openssl req -out ca.pem -new -x509 -generates CA file "ca.pem" and CA key "privkey.pem" Generate server certificate/key pair - no password required. 2) openssl genrsa -out server.key 1024 3) openssl req -key server.key -new -out server.req 4) openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out server.pem (contents of "file.srl" is a two digit number. eg. "00") Generate client certificate/key pair 5) Either choose to encrypt the key(a) or not(b) a. Encrypt the client key with a passphrase openssl genrsa -des3 -out client.key 1024 b. Don't encrypt the client key (I used this) openssl genrsa -out client.key 1024 6) openssl req -key client.key -new -out client.req 7) openssl x509 -req -in client.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out client.pem Then I copy over the files client.pem and server.pem to the example software: $ cp server.pem client.pem openssl-examples-20020110 but the server can't understand the file server.pem: $ openssl-examples-20020110/wserver Can't read key file 4783:error:0906D06C:PEM routines:PEM_read_bio:no start line:/usr/home/guru/myThings/FreeBSD/9-CURRENT/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem_lib.c:650:Expecting: ANY PRIVATE KEY 4783:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:/usr/home/guru/myThings/FreeBSD/9-CURRENT/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:669: $ cat openssl-examples-20020110/server.pem -----BEGIN CERTIFICATE----- MIIB+TCCAWICAQMwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCQVUxEzARBgNV BAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0 ZDAeFw0xMjA3MjExNTM0MTZaFw0xMjA4MjAxNTM0MTZaMEUxCzAJBgNVBAYTAkFV MRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRz IFB0eSBMdGQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSYH6rEOJHR86gi IvkPlWIFTSjAdxw/M/RWiRVSF7nPyDrdjfZ6T6uCGu+gax72SOt3uGCGKKtWa58z 1R9EVvU5OhJNUDXU72yFAKpcAH04ysdf2eNyInMbj+s+DYNukrVofTnrkqjAq2YS 0fOQmH2LbmjKTn4Ia9d9iEFXvR4/AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAT3Vm EonQgYTwnktQMeRi7Uo40IYVXd3rNHeJFobVszP7ladNtBdjRAhD+03rbXBahxDA IGo68N8LdS5wxdUjQizmyTCsBJI2oTpQeSkZ0BrDExs8NCz8OzhskdMdgRw3JUXD tM6F1CUQbvpelHg9Yg3ILA5a4LE+nH774SyL+cE= -----END CERTIFICATE----- Perhaps something is wrong with the way used to generate the keys, but what? Thanks matthias -- Matthias Apitz t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211 e - w http://www.unixarea.de/ UNIX since V7 on PDP-11 | UNIX on mainframe since ESER 1055 (IBM /370) UNIX on x86 since SVR4.2 UnixWare 2.1.2 | FreeBSD since 2.2.5