hi all, I have configure to use TLS module,but i have a problem in step : create key.
i follow these step:
Creating CA certificate ----------------------- 1. create CA dir mkdir ca cd ca 2. create ca dir structure and files (see ca(1)) mkdir demoCA #default CA name, edit /etc/ss/openssl.cnf mkdir demoCA/private mkdir demoCA/newcerts touch demoCA/index.txt echo 01 >demoCA/serial 2. create CA private key openssl genrsa -out demoCA/private/cakey.pem 2048 chmod 600 demoCA/private/cakey.pem 3. create CA self-signed certificate openssl req -out demoCA/cacert.pem -x509 -new -key demoCA/private/cakey.pem
Creating a server/client certificate ------------------------------------ 1. create a certificate request (and its private key in privkey.pem) openssl req -out ser1_cert_req.pem -new -nodes WARNING: the organization name should be the same as in the ca certificate. 2. sign it with the ca certificate openssl ca -in ser1_cert_req.pem -out ser1_cert.pem 3. copy ser1_cert.pem to your ser config. dir
Setting ser to use the certificate ---------------------------------- 1. create the ca list file: for each of your ca certificates that you intend to use do: cat cacert.pem >>calist.pem 2. copy your ser certificate, private key and ca list file to your intended machine (preferably in your ser cfg. directory, this is the default place ser searches for) 3. set up ser.cfg to use the certificate if your ser certificate name is different from cert.pem or it is not placed in ser cfg. directory, add to your ser.cfg: modparam("tls", "certificate", "/path/cert_file_name") 4. set up ser to use the private key if your private key is not contained in the certificate (or the certificate name is not the default cert.pem), add to your ser.cfg: modparam("tls", "private_key", "/path/private_key_file") 5. set up ser to use the ca list (optional) add to your ser.cfg: modparam("tls", "ca_list", "/path/ca_list_file") 6. set up tls authentication options: modparam("tls", "verify_certificate", 1) modparam("tls", "require_certificate", 1) (for more information see the module parameters documentation)
but in step : 2. sign it with the ca certificate(command :openssl ca -in ser1_cert_req.pem -out ser1_cert.pe ) i have error and it openssl can not make file "ser1_cert.pem "
the error is :
[root@appliance ca]# openssl ca -in ser1_cert_req.pem -out ser1_cert.pem Using configuration from /etc/pki/tls/openssl.cnf Error opening CA private key ../../CA/private/cakey.pem 15231:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('../../CA/private/cakey.pem','r') 15231:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354: unable to load CA private key
please help me to fix it, or suggest to check and make it work. thanks all.
Peter green
Hello,
please use adequate subject. Your reported issue has nothing to do with a bug in tls module. Where you see the relation between proxy's tls module and what is not working for you?
Btw, if tls module is installed, you get self signed certificates in config directory.
Thanks, Daniel
On 9/3/10 12:29 PM, peter_green lion wrote:
hi all, I have configure to use TLS module,but i have a problem in step : create key.
i follow these step:
Creating CA certificate
create CA dir mkdir ca cd ca
create ca dir structure and files (see ca(1)) mkdir demoCA #default CA name, edit /etc/ss/openssl.cnf mkdir demoCA/private mkdir demoCA/newcerts touch demoCA/index.txt echo 01>demoCA/serial
create CA private key openssl genrsa -out demoCA/private/cakey.pem 2048 chmod 600 demoCA/private/cakey.pem
create CA self-signed certificate openssl req -out demoCA/cacert.pem -x509 -new -key demoCA/private/cakey.pem
Creating a server/client certificate
create a certificate request (and its private key in privkey.pem) openssl req -out ser1_cert_req.pem -new -nodes WARNING: the organization name should be the same as in the ca certificate.
sign it with the ca certificate openssl ca -in ser1_cert_req.pem -out ser1_cert.pem
copy ser1_cert.pem to your ser config. dir
Setting ser to use the certificate
create the ca list file: for each of your ca certificates that you intend to use do: cat cacert.pem>>calist.pem
copy your ser certificate, private key and ca list file to your intended machine (preferably in your ser cfg. directory, this is the default place ser searches for)
set up ser.cfg to use the certificate if your ser certificate name is different from cert.pem or it is not placed in ser cfg. directory, add to your ser.cfg: modparam("tls", "certificate", "/path/cert_file_name")
set up ser to use the private key if your private key is not contained in the certificate (or the certificate name is not the default cert.pem), add to your ser.cfg: modparam("tls", "private_key", "/path/private_key_file")
set up ser to use the ca list (optional) add to your ser.cfg: modparam("tls", "ca_list", "/path/ca_list_file")
set up tls authentication options: modparam("tls", "verify_certificate", 1) modparam("tls", "require_certificate", 1) (for more information see the module parameters documentation)
but in step : 2. sign it with the ca certificate(command :openssl ca -in ser1_cert_req.pem -out ser1_cert.pe ) i have error and it openssl can not make file "ser1_cert.pem "
the error is :
[root@appliance ca]# openssl ca -in ser1_cert_req.pem -out ser1_cert.pem Using configuration from /etc/pki/tls/openssl.cnf Error opening CA private key ../../CA/private/cakey.pem 15231:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('../../CA/private/cakey.pem','r') 15231:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354: unable to load CA private key
please help me to fix it, or suggest to check and make it work. thanks all.
Peter green
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
hi Daniel, thanks for your suggest.
Date: Fri, 3 Sep 2010 12:50:46 +0200 From: miconda@gmail.com To: betergreen@live.com CC: sr-users@lists.sip-router.org Subject: Re: [SR-Users] help to fix bug in TLS module.
Message body
Hello,
please use adequate subject. Your reported issue has nothing to do with a bug in tls module. Where you see the relation between proxy's tls module and what is not working for you?
Btw, if tls module is installed, you get self signed certificates in config directory.
Thanks,
Daniel
On 9/3/10 12:29 PM, peter_green lion wrote:
hi all,
I have configure to use TLS module,but i have a problem in step : create key.
i follow these step:
Creating CA certificate ----------------------- 1. create CA dir mkdir ca cd ca 2. create ca dir structure and files (see ca(1)) mkdir demoCA #default CA name, edit /etc/ss/openssl.cnf mkdir demoCA/private mkdir demoCA/newcerts touch demoCA/index.txt echo 01 >demoCA/serial 2. create CA private key openssl genrsa -out demoCA/private/cakey.pem 2048 chmod 600 demoCA/private/cakey.pem 3. create CA self-signed certificate openssl req -out demoCA/cacert.pem -x509 -new -key demoCA/private/cakey.pem
Creating a server/client certificate ------------------------------------ 1. create a certificate request (and its private key in privkey.pem) openssl req -out ser1_cert_req.pem -new -nodes WARNING: the organization name should be the same as in the ca certificate. 2. sign it with the ca certificate openssl ca -in ser1_cert_req.pem -out ser1_cert.pem 3. copy ser1_cert.pem to your ser config. dir
Setting ser to use the certificate ---------------------------------- 1. create the ca list file: for each of your ca certificates that you intend to use do: cat cacert.pem >>calist.pem 2. copy your ser certificate, private key and ca list file to your intended machine (preferably in your ser cfg. directory, this is the default place ser searches for) 3. set up ser.cfg to use the certificate if your ser certificate name is different from cert.pem or it is not placed in ser cfg. directory, add to your ser.cfg: modparam("tls", "certificate", "/path/cert_file_name") 4. set up ser to use the private key if your private key is not contained in the certificate (or the certificate name is not the default cert.pem), add to your ser.cfg: modparam("tls", "private_key", "/path/private_key_file") 5. set up ser to use the ca list (optional) add to your ser.cfg: modparam("tls", "ca_list", "/path/ca_list_file") 6. set up tls authentication options: modparam("tls", "verify_certificate", 1) modparam("tls", "require_certificate", 1) (for more information see the module parameters documentation)
but in step : 2. sign it with the ca certificate(command :openssl ca -in ser1_cert_req.pem -out ser1_cert.pe )
i have error and it openssl can not make file "ser1_cert.pem "
the error is :
[root@appliance ca]# openssl ca -in ser1_cert_req.pem -out ser1_cert.pem
Using configuration from /etc/pki/tls/openssl.cnf
Error opening CA private key ../../CA/private/cakey.pem
15231:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('../../CA/private/cakey.pem','r')
15231:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
unable to load CA private key
please help me to fix it, or suggest to check and make it work.
thanks all.
Peter green
_______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- Daniel-Constantin Mierla http://www.asipto.com
-
Daniel-Constantin Mierla -
peter_green lion