Koozali.org: home of the SME Server

Configuración de certificado CA en OpenSSL

Offline mcascante

  • 14
  • +0/-0
Configuración de certificado CA en OpenSSL
« on: September 25, 2012, 07:04:55 PM »
Buenas amigos aca de nuevo  molestando, instale openvpn, phpki y openvpn bridge, despuede de horas y horas batallando con algo que en teoria es bastante simple he tenido para crear certificado VPN tanto server como cliente o de cualquier tipo, ahora cuando intento crear un certificado me encuentro con el siguiente error:

Quote
There was an error updating the Certificate Revocation List.


Debug Info:

Generating Certificate Revocation List.
Using configuration from /opt/phpki/phpki-store/config/openssl.cnf
unable to load CA private key
29681:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: ANY PRIVATE KEY


voy a la dirección /opt/phpki-store/config/openssl.cnf abirendo el archivo para modificarlo solo encuentro lo siguiente:

Quote
HOME                    = /opt/phpki/phpki-store
RANDFILE                = /opt/phpki/phpki-store/CA/.rnd
dir                     = /opt/phpki/phpki-store/CA
certs                   = /opt/phpki/phpki-store/CA/certs
crl_dir                 = /opt/phpki/phpki-store/CA/crl
database                = /opt/phpki/phpki-store/CA/index.txt
new_certs_dir           = /opt/phpki/phpki-store/CA/newcerts
private_dir             = /opt/phpki/phpki-store/CA/private
serial                  = /opt/phpki/phpki-store/CA/serial
certificate             = /opt/phpki/phpki-store/CA/certs/cacert.pem
crl                     = /opt/phpki/phpki-store/CA/crl/cacrl.pem
private_key             = /opt/phpki/phpki-store/CA/private/cakey.pem
crl_extensions          = crl_ext
default_days            = 365
default_crl_days        = 30
preserve                = no
default_md              = sha1

[ ca ]
default_ca              = email_cert

[ root_cert ]
x509_extensions        = root_ext
default_days           = 3650
policy                 = policy_supplied

[ email_cert ]
x509_extensions        = email_ext
default_days           = 365
policy                 = policy_supplied

[ email_signing_cert ]
x509_extensions        = email_signing_ext
default_days           = 365
policy                 = policy_supplied

[ server_cert ]
x509_extensions        = server_ext
default_days           = 365
policy                 = policy_supplied

[ vpn_cert ]
x509_extensions        = vpn_client_server_ext
default_days           = 365
policy                 = policy_supplied

[ time_stamping_cert ]
x509_extensions        = time_stamping_ext
default_days           = 365
policy                 = policy_supplied

[ policy_supplied ]
countryName            = supplied
stateOrProvinceName    = supplied
localityName           = supplied
organizationName       = supplied
organizationalUnitName = supplied
commonName             = supplied
emailAddress           = supplied

[ root_ext ]
basicConstraints       = CA:true
keyUsage               = cRLSign, keyCertSign
nsCertType             = sslCA, emailCA, objCA
subjectKeyIdentifier   = hash
subjectAltName         = email:copy
crlDistributionPoints  = URI:http://www.somewhere.com/phpki/index.php?stage=dl_c                                                                                                 rl
nsComment              = "PHPki/OpenSSL Generated Root Certificate Authority"
#nsCaRevocationUrl          = ns_revoke_query.php?
nsCaPolicyUrl          = http://www.somewhere.com/phpki/policy.html

[ email_ext ]
basicConstraints       = critical, CA:false
keyUsage               = critical, nonRepudiation, digitalSignature, keyEncipher                                                                                                 ment
extendedKeyUsage       = critical, emailProtection, clientAuth
nsCertType             = critical, client, email
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName         = email:copy
issuerAltName          = issuer:copy
crlDistributionPoints  = URI:http://www.somewhere.com/phpki/index.php?stage=dl_c                                                                                                 rl
nsComment              = "PHPki/OpenSSL Generated Personal Certificate"
nsBaseUrl              = http://www.somewhere.com/phpki/
nsRevocationUrl        = ns_revoke_query.php?
#nsRenewalUrl          =
nsCaPolicyUrl          = http://www.somewhere.com/phpki/policy.html
#nsSslServerName       =

[ email_signing_ext ]
basicConstraints       = critical, CA:false
keyUsage               = critical, nonRepudiation, digitalSignature, keyEncipher                                                                                                 ment
extendedKeyUsage       = critical, emailProtection, clientAuth, codeSigning
nsCertType             = critical, client, email
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName         = email:copy
issuerAltName          = issuer:copy
crlDistributionPoints  = URI:http://www.somewhere.com/phpki/index.php?stage=dl_c                                                                                                 rl
nsComment              = "PHPki/OpenSSL Generated Personal Certificate"
nsBaseUrl              = http://www.somewhere.com/phpki/
nsRevocationUrl        = ns_revoke_query.php?
#nsRenewalUrl          =
nsCaPolicyUrl          = http://www.somewhere.com/phpki/policy.html
#nsSslServerName       =

[ server_ext ]
basicConstraints        = CA:false
keyUsage                = critical, digitalSignature, keyEncipherment
nsCertType              = critical, server
extendedKeyUsage        = critical, serverAuth, 1.3.6.1.5.5.7.3.1
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always, issuer:always
subjectAltName          = DNS:root certificate,email:copy
issuerAltName           = issuer:copy
crlDistributionPoints   = URI:http://www.somewhere.com/phpki/index.php?stage=dl_                                                                                                 crl
nsComment               = "PHPki/OpenSSL Generated Secure Server Certificate"
nsBaseUrl                       = http://www.somewhere.com/phpki/
nsRevocationUrl             = ns_revoke_query.php?
nsCaPolicyUrl           = http://www.somewhere.com/phpki/policy.html

[ time_stamping_ext ]
basicConstraints       = CA:false
keyUsage               = critical, nonRepudiation, digitalSignature
extendedKeyUsage       = timeStamping
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName         = DNS:root certificate,email:copy
issuerAltName          = issuer:copy
crlDistributionPoints  = URI:http://www.somewhere.com/phpki/index.php?stage=dl_c                                                                                                 rl
nsComment              = \"PHPki/OpenSSL Generated Time Stamping Certificate\"
nsBaseUrl              = http://www.somewhere.com/phpki/
nsRevocationUrl        = ns_revoke_query.php?
nsCaPolicyUrl          = http://www.somewhere.com/phpki/policy.html


[ vpn_client_ext ]
basicConstraints        = critical, CA:false
keyUsage                = critical, digitalSignature
extendedKeyUsage        = critical, clientAuth
nsCertType              = critical, client
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always, issuer:always
subjectAltName          = DNS:root certificate,email:copy

[ vpn_server_ext ]
basicConstraints        = critical, CA:false
keyUsage                = critical, digitalSignature, keyEncipherment
extendedKeyUsage        = critical, serverAuth
nsCertType              = critical, server
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always, issuer:always
subjectAltName          = DNS:root certificate,email:copy

[ vpn_client_server_ext ]
basicConstraints        = critical, CA:false
keyUsage                = critical, digitalSignature, keyEncipherment
extendedKeyUsage        = critical, serverAuth, clientAuth
nsCertType              = critical, server, client
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always, issuer:always
subjectAltName          = DNS:root certificate,email:copy

[ crl_ext ]
issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always

[ req ]
default_bits            = 1024
default_keyfile         = privkey.pem
distinguished_name      = req_name
string_mask             = nombstr
req_extensions          = req_ext

[ req_name]
countryName                     = Country Name (2 letter code)
countryName_default             = US
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     =

localityName                    = Locality Name (eg, city)
localityName_default            =

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      =

1.organizationName              = Second Organization Name (eg, company)
1.organizationName_default      =

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  =

commonName                      = Common Name (eg, YOUR name)

emailAddress                    = Email Address or Web URL

[ req_ext ]
basicConstraints = critical, CA:false

Donde estará el error?

Offline dante5do

  • ***
  • 72
  • +0/-0
Re: Configuración de certificado CA en OpenSSL
« Reply #1 on: December 21, 2012, 12:25:38 AM »
Podrias colocar tu version de sme y poner tus comandos para generar certificados si no usaste el endian a estas alturas jejeje

Saludos cordiales
Dante Carlos Aguirre Quezada