Buenas amigos aca de nuevo molestando, instale openvpn, phpki y openvpn bridge, despuede de horas y horas batallando con algo que en teoria es bastante simple he tenido para crear certificado VPN tanto server como cliente o de cualquier tipo, ahora cuando intento crear un certificado me encuentro con el siguiente error:
There was an error updating the Certificate Revocation List.
Debug Info:
Generating Certificate Revocation List.
Using configuration from /opt/phpki/phpki-store/config/openssl.cnf
unable to load CA private key
29681:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: ANY PRIVATE KEY
voy a la dirección /opt/phpki-store/config/openssl.cnf abirendo el archivo para modificarlo solo encuentro lo siguiente:
HOME = /opt/phpki/phpki-store
RANDFILE = /opt/phpki/phpki-store/CA/.rnd
dir = /opt/phpki/phpki-store/CA
certs = /opt/phpki/phpki-store/CA/certs
crl_dir = /opt/phpki/phpki-store/CA/crl
database = /opt/phpki/phpki-store/CA/index.txt
new_certs_dir = /opt/phpki/phpki-store/CA/newcerts
private_dir = /opt/phpki/phpki-store/CA/private
serial = /opt/phpki/phpki-store/CA/serial
certificate = /opt/phpki/phpki-store/CA/certs/cacert.pem
crl = /opt/phpki/phpki-store/CA/crl/cacrl.pem
private_key = /opt/phpki/phpki-store/CA/private/cakey.pem
crl_extensions = crl_ext
default_days = 365
default_crl_days = 30
preserve = no
default_md = sha1
[ ca ]
default_ca = email_cert
[ root_cert ]
x509_extensions = root_ext
default_days = 3650
policy = policy_supplied
[ email_cert ]
x509_extensions = email_ext
default_days = 365
policy = policy_supplied
[ email_signing_cert ]
x509_extensions = email_signing_ext
default_days = 365
policy = policy_supplied
[ server_cert ]
x509_extensions = server_ext
default_days = 365
policy = policy_supplied
[ vpn_cert ]
x509_extensions = vpn_client_server_ext
default_days = 365
policy = policy_supplied
[ time_stamping_cert ]
x509_extensions = time_stamping_ext
default_days = 365
policy = policy_supplied
[ policy_supplied ]
countryName = supplied
stateOrProvinceName = supplied
localityName = supplied
organizationName = supplied
organizationalUnitName = supplied
commonName = supplied
emailAddress = supplied
[ root_ext ]
basicConstraints = CA:true
keyUsage = cRLSign, keyCertSign
nsCertType = sslCA, emailCA, objCA
subjectKeyIdentifier = hash
subjectAltName = email:copy
crlDistributionPoints = URI:http://www.somewhere.com/phpki/index.php?stage=dl_c rl
nsComment = "PHPki/OpenSSL Generated Root Certificate Authority"
#nsCaRevocationUrl = ns_revoke_query.php?
nsCaPolicyUrl = http://www.somewhere.com/phpki/policy.html
[ email_ext ]
basicConstraints = critical, CA:false
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipher ment
extendedKeyUsage = critical, emailProtection, clientAuth
nsCertType = critical, client, email
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = email:copy
issuerAltName = issuer:copy
crlDistributionPoints = URI:http://www.somewhere.com/phpki/index.php?stage=dl_c rl
nsComment = "PHPki/OpenSSL Generated Personal Certificate"
nsBaseUrl = http://www.somewhere.com/phpki/
nsRevocationUrl = ns_revoke_query.php?
#nsRenewalUrl =
nsCaPolicyUrl = http://www.somewhere.com/phpki/policy.html
#nsSslServerName =
[ email_signing_ext ]
basicConstraints = critical, CA:false
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipher ment
extendedKeyUsage = critical, emailProtection, clientAuth, codeSigning
nsCertType = critical, client, email
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = email:copy
issuerAltName = issuer:copy
crlDistributionPoints = URI:http://www.somewhere.com/phpki/index.php?stage=dl_c rl
nsComment = "PHPki/OpenSSL Generated Personal Certificate"
nsBaseUrl = http://www.somewhere.com/phpki/
nsRevocationUrl = ns_revoke_query.php?
#nsRenewalUrl =
nsCaPolicyUrl = http://www.somewhere.com/phpki/policy.html
#nsSslServerName =
[ server_ext ]
basicConstraints = CA:false
keyUsage = critical, digitalSignature, keyEncipherment
nsCertType = critical, server
extendedKeyUsage = critical, serverAuth, 1.3.6.1.5.5.7.3.1
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = DNS:root certificate,email:copy
issuerAltName = issuer:copy
crlDistributionPoints = URI:http://www.somewhere.com/phpki/index.php?stage=dl_ crl
nsComment = "PHPki/OpenSSL Generated Secure Server Certificate"
nsBaseUrl = http://www.somewhere.com/phpki/
nsRevocationUrl = ns_revoke_query.php?
nsCaPolicyUrl = http://www.somewhere.com/phpki/policy.html
[ time_stamping_ext ]
basicConstraints = CA:false
keyUsage = critical, nonRepudiation, digitalSignature
extendedKeyUsage = timeStamping
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = DNS:root certificate,email:copy
issuerAltName = issuer:copy
crlDistributionPoints = URI:http://www.somewhere.com/phpki/index.php?stage=dl_c rl
nsComment = \"PHPki/OpenSSL Generated Time Stamping Certificate\"
nsBaseUrl = http://www.somewhere.com/phpki/
nsRevocationUrl = ns_revoke_query.php?
nsCaPolicyUrl = http://www.somewhere.com/phpki/policy.html
[ vpn_client_ext ]
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, clientAuth
nsCertType = critical, client
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = DNS:root certificate,email:copy
[ vpn_server_ext ]
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = critical, serverAuth
nsCertType = critical, server
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = DNS:root certificate,email:copy
[ vpn_client_server_ext ]
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = critical, serverAuth, clientAuth
nsCertType = critical, server, client
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = DNS:root certificate,email:copy
[ crl_ext ]
issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_name
string_mask = nombstr
req_extensions = req_ext
[ req_name]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default =
localityName = Locality Name (eg, city)
localityName_default =
0.organizationName = Organization Name (eg, company)
0.organizationName_default =
1.organizationName = Second Organization Name (eg, company)
1.organizationName_default =
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default =
commonName = Common Name (eg, YOUR name)
emailAddress = Email Address or Web URL
[ req_ext ]
basicConstraints = critical, CA:false
Donde estará el error?