setting up an openssl client/server

Matthias Apitz guru at unixarea.de
Sat Jul 21 15:59:26 UTC 2012 

Hello,

I'm trying to build openssl keys to be used in a client/server connection
by the following procedure:

http://acs.lbl.gov/~boverhof/openssl_certs.html

Generating Client/Server certificates with a local CA

Generate a CA

1)    openssl req -out ca.pem -new -x509

      -generates CA file "ca.pem" and CA key "privkey.pem"

Generate server certificate/key pair - no password required.

2) openssl genrsa -out server.key 1024
3) openssl req -key server.key -new -out server.req
4) openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out server.pem

   (contents of "file.srl" is a two digit number.  eg. "00")

Generate client certificate/key pair

5) Either choose to encrypt the key(a) or not(b)
   a. Encrypt the client key with a passphrase
   openssl genrsa -des3 -out client.key 1024
   b. Don't encrypt the client key  (I used this)
   openssl genrsa -out client.key 1024
6) openssl req -key client.key -new -out client.req
7) openssl x509 -req -in client.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out client.pem
   
Then I copy over the files client.pem and server.pem to the example
software:

$ cp server.pem client.pem openssl-examples-20020110

but the server can't understand the file server.pem:

$ openssl-examples-20020110/wserver
Can't read key file
4783:error:0906D06C:PEM routines:PEM_read_bio:no start
line:/usr/home/guru/myThings/FreeBSD/9-CURRENT/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem_lib.c:650:Expecting:
ANY PRIVATE KEY
4783:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM
lib:/usr/home/guru/myThings/FreeBSD/9-CURRENT/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:669:

$ cat openssl-examples-20020110/server.pem
-----BEGIN CERTIFICATE-----
MIIB+TCCAWICAQMwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCQVUxEzARBgNV
BAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0
ZDAeFw0xMjA3MjExNTM0MTZaFw0xMjA4MjAxNTM0MTZaMEUxCzAJBgNVBAYTAkFV
MRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRz
IFB0eSBMdGQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSYH6rEOJHR86gi
IvkPlWIFTSjAdxw/M/RWiRVSF7nPyDrdjfZ6T6uCGu+gax72SOt3uGCGKKtWa58z
1R9EVvU5OhJNUDXU72yFAKpcAH04ysdf2eNyInMbj+s+DYNukrVofTnrkqjAq2YS
0fOQmH2LbmjKTn4Ia9d9iEFXvR4/AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAT3Vm
EonQgYTwnktQMeRi7Uo40IYVXd3rNHeJFobVszP7ladNtBdjRAhD+03rbXBahxDA
IGo68N8LdS5wxdUjQizmyTCsBJI2oTpQeSkZ0BrDExs8NCz8OzhskdMdgRw3JUXD
tM6F1CUQbvpelHg9Yg3ILA5a4LE+nH774SyL+cE=
-----END CERTIFICATE-----

Perhaps something is wrong with the way used to generate the keys, but
what?

Thanks

	matthias

-- 
Matthias Apitz
t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211
e <guru at unixarea.de> - w http://www.unixarea.de/
UNIX since V7 on PDP-11 | UNIX on mainframe since ESER 1055 (IBM /370)
UNIX on x86 since SVR4.2 UnixWare 2.1.2 | FreeBSD since 2.2.5

More information about the freebsd-questions mailing list