openSSL assina certificado https_client com CA
Eu preciso:
criar um certificado de CAcrie um certificado https_clientassine o https_client-certificate pela CAusando a linha de comando no Linux - openSUSE. Eu crio o certificado da CA:
# openssl genrsa -out rootCA.key 2048
Generating RSA private key, 2048 bit long modulus
..........................................................+++
....................+++
e is 65537 (0x10001)
# openssl req -x509 -new -nodes -key rootCA.key -days 3650 -out rootCA.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AA
State or Province Name (full name) [Some-State]:A
Locality Name (eg, city) []:A
Organization Name (eg, company) [Internet Widgits Pty Ltd]:A
Organizational Unit Name (eg, section) []:A
Common Name (e.g. server FQDN or YOUR name) []:A
Email Address []:A
#
Funciona bem. Então eu crio o https_client-certificate:
# openssl genrsa -out client1.key 2048
Generating RSA private key, 2048 bit long modulus
............................+++
.............................................+++
e is 65537 (0x10001)
#
# openssl req -x509 -new -nodes -key client1.key -days 3650 -out client1.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:BB
State or Province Name (full name) [Some-State]:B
Locality Name (eg, city) []:B
Organization Name (eg, company) [Internet Widgits Pty Ltd]:B
Organizational Unit Name (eg, section) []:B
Common Name (e.g. server FQDN or YOUR name) []:B
Email Address []:B
#
Funciona bem. Agora, quando tento assinar o https_client-certificate com a CA, estou recebendo algum erro aqui:
# openssl ca -in client1.pem -out client11.pem
Using configuration from /etc/ssl/openssl.cnf
Error opening CA private key ./demoCA/private/cakey.pem
139667082016400:error:02001002:system library:fopen:No such file or directory:bss_file.c:404:fopen('./demoCA/private/cakey.pem','re')
139667082016400:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:406:
unable to load CA private key
#
Eu já tentei:
usando caminhos absolutos ("Erro ao abrir a chave privada da CA" no Windows)mas sem sucesso para mim. Li em algum lugar que os atributos inseridos específicos precisam ser os mesmos inseridos na criação da CA, mas pelo menos ao criar certificados no Windows usando o XCA-Tool, isso não está correto. Posso inserir coisas completamente diferentes, desde que assine com a CA, que possa usá-las. Alguém pode me ajudar?
Atualizar: Eu só uso .key e .pem porque isso funciona para mim no Windows usando o XCA-Tool ... Estou lendo o livro de receitas openSSL (https://www.feistyduck.com/library/openssl-cookbook/online/ch-openssl.html) para ver se cometi algum erro especial. Primeiro pensamento,preciso usar .csr para assinar um certificado ou também posso fazer isso usando outro formato?