GoogleSearchBox

Custom Search

Monday, June 17, 2013

Using configuration from /etc/pki/tls/openssl.cnf /etc/pki/CA/index.txt: No such file or directory unable to open '/etc/pki/CA/index.txt' 3078076140:error:02001002:system library:fopen:No such file or directory

If you are firing a command something like below from your server's custom cert directory (for example I have a directory named "tomcat6-CAS-certs" under path "/etc/pki/tls/" as my cert directory, to hold all my projects certificate related files):

tomcat6-CAS-certs ] # openssl ca -keyfile tomcat6CAS-rootCAkey.key -cert tomcat6CAS-rootCAcert.crt  -out 216-113-229-31-serverCert.crt  -infiles 216-113-229-31-serverCSR.csr  -config openssl.cnf

Will give below error :
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/index.txt: No such file or directory
unable to open '/etc/pki/CA/index.txt'
3078514412:error:02001002:system library:fopen:No such file or directory:bss_file.c:355:fopen('/etc/pki/CA/index.txt','r')
3078514412:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:357:

This is because, openssl commad reads a openssl.cnf config file for the directory configurations.
And by default it looks at location  /etc/pki/CA/index.txt For the index.txt file  as the database to sign our
cert.

So, we need to copy the openssl.cnf file from its default location (/etc/pki/tls) to our required location (/etc/pki/tls/tomcat6-CAS-certs) and we will edit our version of the openssl.cnf file to contain directory paths related to our need.

# cd ..
[root@www tls]# pwd
Result :  /etc/pki/tls
you are now at :  /etc/pki/tls

#  cp openssl.cnf /etc/pki/tls/tomcat6-CAS-certs
# cd tomcat6-CAS-certs/
Now you are at : /etc/pki/tls/tomcat6-CAS-certs
Use the vi editor to edit your version of openssl.cnf file:
# vi openssl.cnf
I have changed as below as per my requirement (underlined in yellow) :



So to use our version of openssl.cnf file to be used with the openssl command, we need to pass it to openssl command while firing as below:
Wrong way of firing the command using -config option, as shown in below image:
# openssl ca -keyfile tomcat6-CAS-ca.key -cert tomcat6-CAS-ca.crt -out 216-113-229-31.crt -infiles 216-113-229-31.csr -config openssl.cnf




Result:
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/index.txt: No such file or directory
unable to open '/etc/pki/CA/index.txt'
3078887148:error:02001002:system library:fopen:No such file or directory:bss_file.c:355:fopen('/etc/pki/CA/index.txt','r')
3078887148:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:357:

Correct way/location of using the -config option is show below:
#  openssl ca -config openssl.cnf  -keyfile tomcat6CAS-rootCAkey.key -cert tomcat6CAS-rootCAcert.crt  -out 216-113-229-31-serverCert.crt  -infiles 216-113-229-31-serverCSR.csr



Result :
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
The organizationName field needed to be the same in the
CA certificate (YourCompanyName) and the request (YourCompanyName)