Creating CA with CA.pl

[Jeffery Fernandez]

Hi all,

I am following a tutorial on creating a CA on my FreeBSD 5.3 development
box. The tutorial can be found at
[url]http://www.freebsddiary.org/openssl-client-authentication.php[/url]

I had a problem on signing the certificate as explained in this forum
thread: [url]http://www.freebsddiary.org/phorum/read.php?f=1&i=9702&t=9694[/url]

But now I have traced back the problem to the fourth step of that
article. So when I execute

perl CA.pl -newca


I get to enter the details of the certificate.. but when I completed
entering the details for

Email Address []:me@mydomain.com

I get the following output:

unknown option -next_serial
usage: x509 args
-inform arg - input format - default PEM (one of DER, NET or PEM)
-outform arg - output format - default PEM (one of DER, NET or PEM)
-keyform arg - private key format - default PEM
-CAform arg - CA format - default PEM
-CAkeyform arg - CA key format - default PEM
-in arg - input file - default stdin
-out arg - output file - default stdout
-passin arg - private key password source
-serial - print serial number value
-hash - print hash value
-subject - print subject DN
-issuer - print issuer DN
-email - print email address(es)
-startdate - notBefore field
-enddate - notAfter field
-purpose - print out certificate purposes
-dates - both Before and After dates
-modulus - print the RSA key modulus
-pubkey - output the public key
-fingerprint - print the certificate fingerprint
-alias - output certificate alias
-noout - no certificate output
-ocspid - print OCSP hash values for the subject name and
public key
-trustout - output a "trusted" certificate
-clrtrust - clear all trusted purposes
-clrreject - clear all rejected purposes
-addtrust arg - trust certificate for a given purpose
-addreject arg - reject certificate for a given purpose
-setalias arg - set certificate alias
-days arg - How long till expiry of a signed certificate - def 30
days
-checkend arg - check whether the cert expires in the next arg seconds
exit 1 if so, 0 if not
-signkey arg - self sign cert with arg
-x509toreq - output a certification request object
-req - input is a certificate request, sign and output.
-CA arg - set the CA certificate, must be PEM format.
-CAkey arg - set the CA key, must be PEM format
missing, it is assumed to be in the CA file.
-CAcreateserial - create serial number file if it does not exist
-CAserial arg - serial file
-set_serial - serial number to use
-text - print the certificate in text form
-C - print out C code forms
-md2/-md5/-sha1/-mdc2 - digest to use
-extfile - configuration file with X509V3 extensions to add
-extensions - section from config file with X509V3 extensions to add
-clrext - delete extensions before signing and input certificate
-nameopt arg - various certificate name options
-engine e - use engine e, possibly a hardware device.
-certopt arg - various certificate text options


I have googled for the "unknown option -next_serial" string with no
results. I also opened CA.pl and found "-next_serial" to be present on
line 108. Anyone have a clue why its failing on that line of code ? I
beleive the signing of the certificate is not working properly because
of this. Appreciate your help.

cheers,
Jeffery

[Jeffery Fernandez]

Jeffery Fernandez wrote:

> Hi all,
>
> I am following a tutorial on creating a CA on my FreeBSD 5.3
> development box. The tutorial can be found at
> [url]http://www.freebsddiary.org/openssl-client-authentication.php[/url]
>
> I had a problem on signing the certificate as explained in this forum
> thread: [url]http://www.freebsddiary.org/phorum/read.php?f=1&i=9702&t=9694[/url]
>
> But now I have traced back the problem to the fourth step of that
> article. So when I execute
>
> perl CA.pl -newca
>
>
> I get to enter the details of the certificate.. but when I completed
> entering the details for
>
> Email Address []:me@mydomain.com
>
> I get the following output:
>
> unknown option -next_serial
> usage: x509 args
> -inform arg - input format - default PEM (one of DER, NET or PEM)
> -outform arg - output format - default PEM (one of DER, NET or PEM)
> -keyform arg - private key format - default PEM
> -CAform arg - CA format - default PEM
> -CAkeyform arg - CA key format - default PEM
> -in arg - input file - default stdin
> -out arg - output file - default stdout
> -passin arg - private key password source
> -serial - print serial number value
> -hash - print hash value
> -subject - print subject DN
> -issuer - print issuer DN
> -email - print email address(es)
> -startdate - notBefore field
> -enddate - notAfter field
> -purpose - print out certificate purposes
> -dates - both Before and After dates
> -modulus - print the RSA key modulus
> -pubkey - output the public key
> -fingerprint - print the certificate fingerprint
> -alias - output certificate alias
> -noout - no certificate output
> -ocspid - print OCSP hash values for the subject name and
> public key
> -trustout - output a "trusted" certificate
> -clrtrust - clear all trusted purposes
> -clrreject - clear all rejected purposes
> -addtrust arg - trust certificate for a given purpose
> -addreject arg - reject certificate for a given purpose
> -setalias arg - set certificate alias
> -days arg - How long till expiry of a signed certificate - def
> 30 days
> -checkend arg - check whether the cert expires in the next arg seconds
> exit 1 if so, 0 if not
> -signkey arg - self sign cert with arg
> -x509toreq - output a certification request object
> -req - input is a certificate request, sign and output.
> -CA arg - set the CA certificate, must be PEM format.
> -CAkey arg - set the CA key, must be PEM format
> missing, it is assumed to be in the CA file.
> -CAcreateserial - create serial number file if it does not exist
> -CAserial arg - serial file
> -set_serial - serial number to use
> -text - print the certificate in text form
> -C - print out C code forms
> -md2/-md5/-sha1/-mdc2 - digest to use
> -extfile - configuration file with X509V3 extensions to add
> -extensions - section from config file with X509V3 extensions to add
> -clrext - delete extensions before signing and input certificate
> -nameopt arg - various certificate name options
> -engine e - use engine e, possibly a hardware device.
> -certopt arg - various certificate text options
>
>
> I have googled for the "unknown option -next_serial" string with no
> results. I also opened CA.pl and found "-next_serial" to be present on
> line 108. Anyone have a clue why its failing on that line of code ? I
> beleive the signing of the certificate is not working properly because
> of this. Appreciate your help.
>
> cheers,
> Jeffery
> _______________________________________________
> [email]freebsd-questions@freebsd.org[/email] mailing list
> [url]http://lists.freebsd.org/mailman/listinfo/freebsd-questions[/url]
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe@freebsd.org"
>
>

:( anyone ?

[Karel Miklav]

Jeffery Fernandez wrote:

> I am following a tutorial on creating a CA on my FreeBSD 5.3 development
> box. The tutorial can be found at
> [url]http://www.freebsddiary.org/openssl-client-authentication.php[/url]
>
> I had a problem on signing the certificate as explained in this forum
> thread: [url]http://www.freebsddiary.org/phorum/read.php?f=1&i=9702&t=9694[/url]

Don't know about CA.pl, but try doing it manually. You should first edit
the openssl.conf, make a directory structure for your CA, setup files...
(man ca) then do something like this:

openssl req -new -x509 -keyout ca.key -out ca.pem -days 3650

Look around; there are many tutorials, guides, a Linux HOWTO... on the
net, it's not related to FreeBSD.

--

Regards,
Karel Miklav