GoogleSearchBox

Custom Search

Monday, June 17, 2013

Using configuration from /etc/pki/tls/openssl.cnf /etc/pki/CA/index.txt: No such file or directory unable to open '/etc/pki/CA/index.txt' 3078076140:error:02001002:system library:fopen:No such file or directory

If you are firing a command something like below from your server's custom cert directory (for example I have a directory named "tomcat6-CAS-certs" under path "/etc/pki/tls/" as my cert directory, to hold all my projects certificate related files):

tomcat6-CAS-certs ] # openssl ca -keyfile tomcat6CAS-rootCAkey.key -cert tomcat6CAS-rootCAcert.crt  -out 216-113-229-31-serverCert.crt  -infiles 216-113-229-31-serverCSR.csr  -config openssl.cnf

Will give below error :
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/index.txt: No such file or directory
unable to open '/etc/pki/CA/index.txt'
3078514412:error:02001002:system library:fopen:No such file or directory:bss_file.c:355:fopen('/etc/pki/CA/index.txt','r')
3078514412:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:357:

This is because, openssl commad reads a openssl.cnf config file for the directory configurations.
And by default it looks at location  /etc/pki/CA/index.txt For the index.txt file  as the database to sign our
cert.

So, we need to copy the openssl.cnf file from its default location (/etc/pki/tls) to our required location (/etc/pki/tls/tomcat6-CAS-certs) and we will edit our version of the openssl.cnf file to contain directory paths related to our need.

# cd ..
[root@www tls]# pwd
Result :  /etc/pki/tls
you are now at :  /etc/pki/tls

#  cp openssl.cnf /etc/pki/tls/tomcat6-CAS-certs
# cd tomcat6-CAS-certs/
Now you are at : /etc/pki/tls/tomcat6-CAS-certs
Use the vi editor to edit your version of openssl.cnf file:
# vi openssl.cnf
I have changed as below as per my requirement (underlined in yellow) :



So to use our version of openssl.cnf file to be used with the openssl command, we need to pass it to openssl command while firing as below:
Wrong way of firing the command using -config option, as shown in below image:
# openssl ca -keyfile tomcat6-CAS-ca.key -cert tomcat6-CAS-ca.crt -out 216-113-229-31.crt -infiles 216-113-229-31.csr -config openssl.cnf




Result:
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/index.txt: No such file or directory
unable to open '/etc/pki/CA/index.txt'
3078887148:error:02001002:system library:fopen:No such file or directory:bss_file.c:355:fopen('/etc/pki/CA/index.txt','r')
3078887148:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:357:

Correct way/location of using the -config option is show below:
#  openssl ca -config openssl.cnf  -keyfile tomcat6CAS-rootCAkey.key -cert tomcat6CAS-rootCAcert.crt  -out 216-113-229-31-serverCert.crt  -infiles 216-113-229-31-serverCSR.csr



Result :
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
The organizationName field needed to be the same in the
CA certificate (YourCompanyName) and the request (YourCompanyName)

No comments:

Post a Comment